Getty Images/iStockphoto

Cyber Safety Review Board Declares Log4j An “Endemic Vulnerability”

The Cyber Safety Review Board predicted that Log4j incidents will continue for years to come and labeled it as an “endemic vulnerability.”

In its first-ever report, the Cyber Safety Review Board (CSRB) labeled Log4j (CVE-2021-44228) as an “endemic vulnerability” and said that vulnerable instances of Log4j could remain in systems for “a decade or longer.”

President Biden established the Cyber Safety Review Board in February 2022 as part of the administration’s executive order (EO 14028) on improving the nation’s cybersecurity. The Board is made up of 15 cybersecurity leaders from the federal government and the private sector and functions to review major cyber events and make suggestions for improving security in the private and public sectors.

For the report, CSRB reviewed instances of Log4j exploitation by engaging with approximately 80 organizations to gain an understanding of how organizations dealt with and are still dealing with Log4j.

The Log4j vulnerability was first discovered in November 2021 and was brought to public attention in December. Apache Log4j is an extremely common Java framework used throughout many sectors, making it a particularly noteworthy vulnerability. Researchers discovered that the vulnerability could give threat actors the ability to execute arbitrary code on a compromised system or device.

“Defenders faced a particularly challenging situation; the vulnerability impacted virtually every networked organization and the severity of the threat required fast action. The fact that there is no comprehensive ‘customer list’ for Log4j, or even a list of where it is integrated as a sub-system, hindered defender progress,” the report explained.

“Enterprises and vendors scrambled to discover where they used Log4j. The pace, pressure, and publicity compounded the defensive challenges: security researchers quickly found additional vulnerabilities in Log4j, contributing to confusion and ‘patching fatigue’; defenders struggled to distinguish vulnerability scanning by bona fide researchers from threat actors; and responders found it difficult to find authoritative sources of information on how to address the issues. This culminated in one of the most intensive cybersecurity community responses in history.”

In fact, “patching fatigue” was widely reported and highlighted in a February (ISC)² report. More than half of (ISC)² survey respondents (269 cybersecurity professionals working closely with Log4j) said their teams spent weeks or months remediating Log4j vulnerabilities.

One federal cabinet department told the CSRB that it dedicated 33,000 hours to Log4j vulnerability response just to protect its own networks. Those hours took time and money away from other mission-critical work.

The CSRB found that the organizations that responded most effectively to Log4j had the processes in place to assess risk and the resources to respond quickly. However, organizations without the proper security architectures struggled with risk management and even found it difficult to justify the risk of applying Log4j updates and patches due to the tradeoff between operational disruptions and timeliness, the report stated.

The Board predicted that it would continue to see “tension between our collective need for crisis-driven risk management and the foundational investments that would support more rapid response for future incidents.”

The CSRB noted that there have been no significant Log4j-based attacks on critical infrastructure, and the levels of exploitation were actually less severe than experts predicted. However, reporting cybersecurity events is still largely voluntary for most sectors, so it is difficult to get a clear picture of the vulnerability’s reach.

“Most importantly, however, the Log4j event is not over,” the report explained.

“The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”

Through its analysis, the Board came up with several recommendations for organizations as they continue to safeguard against Log4j vulnerabilities. The CSRB recommended that organizations continue to report exploitation observations and that CISA expand its capability to develop and publish cyber risk information.

Organizations should also prioritize developing industry-accepted best practices and invest in technologies to identify vulnerable systems and mitigate risk. The CSRB also urged industry stakeholders to build a better software ecosystem and move toward a more proactive model of vulnerability management by implementing software bill of materials (SBOMs) and increasing investments in open-source software security.

“The Cyber Safety Review Board has established itself as a new, innovative, and enduring institution in the cybersecurity ecosystem,” Robert Silvers, CSRB chair and Department of Homeland Security (DHS) under secretary for policy explained in an accompanying press release. 

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity.” 

The Log4j vulnerability saga, while not as widely exploited as previously predicted, revealed gaps in cybersecurity across critical infrastructure and highlighted the importance of patch management and other security best practices.

Next Steps

Dig Deeper on Cybersecurity strategies