CSRB: Log4J to Remain Threat for at Least the Next Decade

The national Cyber Safety Review Board (CSRB) says Log4J, which has plagued security professionals globally for several months, will be an “endemic vulnerability” for years to come.

The U.S. Department of Homeland Security assembled the CSRB early this year. The board investigates major national cybersecurity incidents in an effort to improve the nation’s cyber resilience.

The CSRB released its first report this week examining events around the disclosure of Log4J last December. The board engaged with nearly 80 organizations and individuals representing software developers, end users, security professionals and companies.

The Java-logging library Apache Log4j can be used by hackers to take over computer servers if it isn’t patched. The library is free, which means companies have to create their own patches for it.

Log4J led to an explosion of attacks.

Log4J Exploitation Trends Difficult to Track

“At the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems,” the CSRB said in its report. “Somewhat surprisingly, the board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability. It has been difficult to arrive at this conclusion. While cybersecurity vendors were able to provide some anecdotal evidence of exploitation, no authoritative source exists to understand exploitation trends across geographies, industries or ecosystems. Many organizations do not even collect information on specific Log4j exploitation, and reporting is still largely voluntary.”

Most importantly, the CSRB said the Log4j event is far from over. Vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.

Organizations have spent significant resources as they struggled with this problem, the board said.

“For example, one federal cabinet department reported dedicating 33,000 hours to Log4j vulnerability response to protect the department’s own networks,” it said. “These costs, often sustained over many weeks and months, delayed other mission-critical work, including the response to other vulnerabilities.”

Michael Skelton is senior director of security operations at Bugcrowd.

Bugcrowd’s Michael Skelton

“Dealing with Log4J is a marathon, one that will take years more to resolve,” he said. “Java, and Log4j are prevalent everywhere, not only in core projects, but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities. While the initial wave of Log4J findings has subsided, we do still see Log4J over bug bounty programs somewhat frequently as the crowd dives deeper into the vulnerability, and looks into the dependencies of projects for its presence.”

Complexity of Patching Creates More Difficulties

Matthew Warner is CTO and co-founder of Blumira.

Blumira’s Matthew Warner

“The complexity of patching unknown Log4j systems continues to add more difficulties for organizations,” he said. “A purchased appliance may have a vulnerable version of Log4j without any knowledge of the organization. There continues to be exploitation of Log4j across internet-exposed VMware Horizon servers that have not been patched, even within hours of CISA notifications of vulnerable hosts. In the grand scheme of cybersecurity, however, Log4j is not unprecedented. Even three years after exposure, there continues to be exposed remote desktop protocol (RDP) that is vulnerable to BlueKeep.”

Vulnerabilities that live within infrastructure have longevity and stickiness, Warner said. That’s due to the complexity of networks and IT turnover that results in undocumented devices.

“It will take many years for the industry to remove and update all legacy Log4j solutions and support to identify impacted solutions, and getting this information to organizations will be necessary for privacy/public partnership success,” he said.