This week the US Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) first report into the December 2021 Log4j event, where a number of vulnerabilities were reported with this Java-based logging framework.
The report’s methodology included a mixture of interviews and requests for information over a 90-day period, engaging with approximately 80 organizations and individuals comprising software developers, end users, security professionals and companies. This was to ensure the board spoke with multiple representatives from a wide variety of viewpoints and to “capture the nuances of how different attack surfaces are designed and defended.”
The report stated that while standardized and reusable “building blocks” are useful for creating and scaling software, this means that any potential vulnerability can be unintentionally integrated into multiple software packages, putting any organization that uses those programs at risk. The report suggested that even though Log4j remains a risk, the government-wide response helped mitigate the vulnerability. The board also identified the need for additional funding to support the mostly volunteer open-source software security community.
Industry specialists, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.”
John Bambenek, principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.”
The CSRB’s report went on to state that, fortunately, it is unaware of any significant Log4j-based attacks on critical infrastructure assets or systems and that attempts to compromise Log4j occurred at a lower level than many specialists anticipated. However, the report stresses that the Log4j event is “not over” and remains an “endemic vulnerability” for many years, with significant risk remaining.
The report culminated in 19 actionable recommendations for government and industry, split into four subcategories. These were:
- Address Continued Risks of Log4j
- Drive Existing Best Practices for Security Hygiene
- Build a Better Software Ecosystem
- Investments in the Future