The most popular and comprehensive Open Source ECM platform
Let us know more
Log4j Vulnerability: Minimal Damage to Date, but Risks Classified as Long-Term Endemic
The Cyber Safety Review Board last week Thursday released a report on the effect of the Log4j vulnerability on US government agencies. The report found that agencies spent tens of thousands of hours patching the problem since it was first reported.
Rob Silvers, Department of Homeland Security Under Secretary, said that “Log4j is one of the most serious software vulnerabilities in history.”
Log4j is Apache Open Source Software used as a standard library for being able to log diagnostic information from Java programs. Java and Log4j are widely used in building business software applications. The vulnerability discovered in the Log4j code would allow hackers to execute any software code on the target computer.
The government report emphasized that while the vulnerability had been extremely disruptive that there was little evidence of malicious damage caused by it. The report found that “at the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems. Somewhat surprisingly, the board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.”
The report also concluded that because of Log4j’s ubiquitous use that it likely will “be exploited for years to come.”
Thomas Pace, a former Department of Energy cybersecurity lead, said that “just because these attacks have not been detected does not mean that they haven’t happened. We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.”
Silvers agreed, saying that “this event is not over.”
