Log4j

Review board offers 19 recs for ‘endemic’ Log4j threat

While much “went right” in the response to Log4j flaws, “significant risk remains,” said the CSRB.
article cover

Unsplash

· 3 min read

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Not that we need the metaphor, but the Cyber Safety Review Board used its inaugural report to describe the Log4j vulnerability as similar to an illness that will be around for a while.

“The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for years to come, perhaps a decade or longer,” the CSRB said in the report last month.

To fight the potentially-everywhere threat, the recently formed advisory board, made up of both government and private-sector members, offered 19 recommendations to address continued Log4j risks, including having a documented vulnerability-response program, investing in secure software-development training, and cataloging software components in a bill of materials. (See the full report and list of best practices here.)

Another depressing medical term to look up. An endemic refers to an outbreak that is limited but consistently present—like the flu, chicken pox, or Shark Tank.

The open-source Java-based logging platform known as Log4j is consistently present and incorporated into thousands of software components globally, according to the CSRB report, often at different stages of integration, which can make the vulnerability difficult to spot with what the CSRB described as “common scanning approaches.”

Everybody’s working through the weekend. The flaw, called “Log4Shell,” was first reported privately to Apache on November 24, 2021 and then patched throughout December of that year. Pre-patch, attackers who gained access to Log4j messages could inject fraudulent ones that enable code to be executed by an attacker.

The early efforts to address the vulnerability were swift, according to the CSRB report.

“Responders, spanning the public and private sectors, the open-source community, and researchers globally, collaborated and communicated in a dedicated fashion, working through weekends and the December holidays,” according to the report.

David Wong, VP at Mandiant, learned of the Log4j vulnerability at dinner on a Friday night and saw quick action from clients.

“Over the next couple of days, clients called us, and they were already in the middle of identifying systems that had [the vulnerability], and patching them,” Wong  told IT Brew.

‘Significant risk remains.’ Despite the successful remediation early on, vulnerabilities remain.

A team from Rezilion identified more than 90,000 internet-facing applications and more than 68,000 servers open to Log4j exploits. And, according to CISA, malicious actors are continuing to exploit Log4Shell in VMware Horizon Systems.

As the report stated, “The Log4j event is not over.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.