The critical vulnerability discovered late last year in the popular Java logger Log4j will be impacting IT environments for years due to the difficulty in finding and remediating vulnerable instances of the tool, according to a new report from the U.S. Department of Homeland Security’s Cyber Safety Review Board.
The board—established in the wake of President Joe Biden’s executive order on cybersecurity and consisting of federal cybersecurity experts and executives from private sector IT and security providers—calls the bug an “endemic vulnerability” that could remain in systems for a decade or longer.
The July 11 report, the board’s first, details the difficulty in discovering where and how Log4j is used in an IT environment, as a comprehensive list of products in which the tool is used does not exist.
As end user organization and vendors scrambled to discover where Log4j was used, attackers quickly began exploiting the bug and researchers found additional vulnerabilities in the tool, leading to patch fatigue and an inability to distinguish activity between research activities and attackers.
“This culminated in one of the most intensive cybersecurity community responses in history,” the board says in its report.
Log4j remains “deeply embedded” in IT systems today, with new compromises, threat actors and methods being discovered every day.
Saying vulnerable versions will remain in systems for many years, the board says organizations should continue to monitor this crisis and be prepared to address the vulnerability for the foreseeable future despite significant attention and action being taken to address the flaw.
“Most importantly, however, the Log4j event is not over. The Board assesses that Log4j is an “endemic vulnerability” and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” the board says in the report. “Significant risk remains.”
According to some security research, as much as 30% of Log4j instances remain vulnerable to the Log4Shell exploit.
The Cyber Safety Review Board calls on organizations to adopt robust vulnerability management and patching tools and practices to ensure that all vulnerable versions of Log4j are eradicated from their environment, as well as to prevent reintroducing the bug, dubbed Log4Shell.
Organizations should take a risk-based approach to remediating Log4j bugs so they can take similar actions when other high-severity vulnerabilities in open-source software inevitably surface, the Cyber Safety Review Board says.
Since exploitation of Log4Shell began quickly after the flaw was exposed, the bug is expected to be leveraged by threat actors and nation states for years to come, so the board is urging organizations to report all attacks using the bug to the U.S. Cybersecurity and Infrastructure Security Agency.
In addition, organizations should continue to invest in their cyber defenses and employ best practices for security hygiene that includes an accurate asset and application inventory that could help defenders discover where vulnerable Log4j versions are being used.
In a statement, Secretary of Homeland Security Alejandro N. Mayorkas said the report comes as the country’s ability to handle risk is not keeping pace with advances in the digital space and cyberattack trends.
“The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security,” Mayorkas said.
Read the report for the full list of 19 specific recommendations for government and industry.