Log4j Vulnerability Could Be Here For a Decade, Cyber Safety Review Board Says
A major report on the Log4j vulnerability shows it’ll be a problem for a while.
Seksan Mongkhonkhamsao/Getty Images
US government agencies have spent tens of thousands of hours securing the Log4j vulnerability since its discovery in December, the Cyber Safety Review Board said?Thursday in its inaugural report to the public. Yet this vulnerability could be a cybersecurity issue for a decade or more, the board said.
The vulnerability in a widely used Java-logging library Apache Log4j can be used by hackers to take over computer servers if it isn’t patched. The library is popular partially because it’s free, but that means companies are left to create patches for it on their own. This can be a gargantuan lift. The review board, which was formed earlier this year?under the Department of Homeland Security, noted that one cabinet agency had spent already 33,000 hours responding to the weakness.
Around the time the Log4j vulnerability became public knowledge, the US government warned companies to be on high alert against cyberattacks. Although attacks exploiting the vulnerability have occurred, they haven’t been as severe as feared.
“At the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems,” the Cyber Safety Review Board said. “Somewhat surprisingly, the board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.”
Because it is so widespread, though, the board called the issue an “endemic vulnerability” that could persist for years to come. “Significant risk remains,” according to the report.
See also
- Log4j Bug: What You Need to Know
- 2022 Is Shaping Up To Be an Epic Fight to Protect Data
- State Department Launches New Cybersecurity Bureau