- Apache Software Foundation President David Nalley on Tuesday told the Senate Homeland Security & Government Affairs Committee it could take months, or even years, to fully eliminate the Log4j vulnerability.
- Every stakeholder in the software industry, especially the federal government and major customers, should be investing in supply chain security, Nalley said. He endorsed efforts like the software bill of materials (SBOM), but said the legislation won't prevent vulnerabilities, only uncover them more quickly.
- Sen. Alex Padilla, D-Calif., raised questions over whether there is a "free rider" problem where large companies benefit from open source contributors, while providing very little compensation in return.
The hearing, almost two months after Log4j was publicly disclosed, exposed a long-dormant debate over the security and inequity concerns facing the open source community.
Log4j is found in hundreds of millions of devices worldwide and the vulnerability allows even the most unsophisticated threat actor to take control of a device with just 12 characters into an email, chat window or subject line.
The time required to find vulnerabilities and apply security updates and patches has been a major issue for years, and Log4j put a spotlight on the remediation time.
Almost every major technology company has been forced to wade through their software applications to search for vulnerable versions of Log4j.
On Friday, NIST released guidelines to allow companies to self-attest compliance with secure software development standards, as outlined in a May Executive Order.
Executives at Sonatype, the owners of Maven Central repository, said the NIST guidelines are not enough to fully secure the software supply chain. Sonatype CTO Brian Fox said about 65% of Maven Central users are downloading Log4j versions 2.15 or higher, which include some of the security upgrades related to the vulnerability.
"The other 35% continues to download the versions known to be vulnerable, and this hasn't changed much at all in recent weeks," Fox said via email. "The reason why is that many companies have not covered the basics, and simply don't understand what's in their software."
Researchers at NHS Digital reported last month that threat actors were exploiting vulnerabilities found in VMware Horizon, a widely used application for remote desktop access.
Brad Arkin, senior vice president, chief security and trust officer at Cisco Systems, told lawmakers that it took the company 50 days to find the full list of vulnerable software during the 2014 Heartbleed vulnerability, plus weeks more to apply patches. The company has made progress over the years and was able to identify and patch Log4j in 10 days.
So far, Log4j has been used to mine devices for cryptocurrency and to hijack computer networks as part of a botnet, according to Jen Miller-Osborn, deputy director of threat intelligence at Unit 42 of Palo Alto Networks.
Threat researchers have reported a small number of foreign governments have worked to exploit Log4j for more sophisticated attacks. Microsoft researchers in December said they saw activity from North Korea, China, Iran and Turkey, while Mandiant researchers reported threat activity from China and Iran.
Correction: This article is being updated to clarify Sonatype executives said NIST guidelines alone are not enough to to fully secure the software supply chain, but SBOMs can start the process.