• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

Log4Shell Will Remain an Issue For a Decade

The Log4Shell bug will remain an issue for IT and security teams for possibly a decade or longer, says new Cyber Safety Review Board report.

July 25, 2022 Zachary Comeau Leave a Comment

Log4j, Older Vulnerabilities
stock.adobe.com/Andreas Prott

The critical vulnerability discovered late last year in the popular Java logger Log4j will be impacting IT environments for years due to the difficulty in finding and remediating vulnerable instances of the tool, according to a new report from the U.S. Department of Homeland Security’s Cyber Safety Review Board.

The board—established in the wake of President Joe Biden’s executive order on cybersecurity and consisting of federal cybersecurity experts and executives from private sector IT and security providers—calls the bug an “endemic vulnerability” that could remain in systems for a decade or longer.

The July 11 report, the board’s first, details the difficulty in discovering where and how Log4j is used in an IT environment, as a comprehensive list of products in which the tool is used does not exist.

As end user organization and vendors scrambled to discover where Log4j was used, attackers quickly began exploiting the bug  and researchers found additional vulnerabilities in the tool, leading to patch fatigue and an inability to distinguish activity between research activities and attackers.

“This culminated in one of the most intensive cybersecurity community responses in history,” the board says in its report.

Log4j remains “deeply embedded” in IT systems today, with new compromises, threat actors and methods being discovered every day.

Saying vulnerable versions will remain in systems for many years, the board says organizations should continue to monitor this crisis and be prepared to address the vulnerability for the foreseeable future despite significant attention and action being taken to address the flaw.

“Most importantly, however, the Log4j event is not over. The Board assesses that Log4j is an “endemic vulnerability” and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” the board says in the report. “Significant risk remains.”

According to some security research, as much as 30% of Log4j instances remain vulnerable to the Log4Shell exploit.

The Cyber Safety Review Board calls on organizations to adopt robust vulnerability management and patching tools and practices to ensure that all vulnerable versions of Log4j are eradicated from their environment, as well as to prevent reintroducing the bug, dubbed Log4Shell.

Organizations should take a risk-based approach to remediating Log4j bugs so they can take similar actions when other high-severity vulnerabilities in open-source software inevitably surface, the Cyber Safety Review Board says.

Since exploitation of Log4Shell began quickly after the flaw was exposed, the bug is expected to be leveraged by threat actors and nation states for years to come, so the board is urging organizations to report all attacks using the bug to the U.S. Cybersecurity and Infrastructure Security Agency.

In addition, organizations should continue to invest in their cyber defenses and employ best practices for security hygiene that includes an accurate asset and application inventory that could help defenders discover where vulnerable Log4j versions are being used.

In a statement, Secretary of Homeland Security Alejandro N. Mayorkas said the report comes as the country’s ability to handle risk is not keeping pace with advances in the digital space and cyberattack trends.

“The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security,” Mayorkas said.

Read the report for the full list of 19 specific recommendations for government and industry.

Tagged With: CISA, Cybersecurity, Log4j, Vulnerability Management

Related Content:

  • Barracuda networks ransomware, cyberinurance Ransomware Actors May Be Targeting Organizations With Cyber…
  • Bitwarden Secrets manager Bitwarden Releases Beta of Secrets Manager for DevOps…
  • AVer PTZ cameras, the PTZ310UNV2 and PTZ310UV2. AVer Introduces 4K 12X AI PTZ Cameras
  • Cisco Webex Board Pro, MIcrosoft Teams, Webex You Can Now Natively Run Microsoft Teams Rooms…

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.