Access and Feeds

Log4j Vulnerability: Minimal Damage to Date, but Risks Classified as Long-Term Endemic

By Dick Weisinger

The Cyber Safety Review Board last week Thursday released a report on the effect of the Log4j vulnerability on US government agencies. The report found that agencies spent tens of thousands of hours patching the problem since it was first reported.

Rob Silvers, Department of Homeland Security Under Secretary, said that “Log4j is one of the most serious software vulnerabilities in history.”

Log4j is Apache Open Source Software used as a standard library for being able to log diagnostic information from Java programs. Java and Log4j are widely used in building business software applications. The vulnerability discovered in the Log4j code would allow hackers to execute any software code on the target computer.

The government report emphasized that while the vulnerability had been extremely disruptive that there was little evidence of malicious damage caused by it. The report found that “at the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems. Somewhat surprisingly, the board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.”

The report also concluded that because of Log4j’s ubiquitous use that it likely will “be exploited for years to come.”

Thomas Pace, a former Department of Energy cybersecurity lead, said that “just because these attacks have not been detected does not mean that they haven’t happened. We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.”

Silvers agreed, saying that “this event is not over.”

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Leave a Reply

Your email address will not be published.