- Log4j, despite its prevalence and difficulty to find, was exploited at lower levels than experts predicted when it was disclosed in December 2021, the Cyber Safety Review Board said in a post-mortem incident report released Thursday. Secretary of Homeland Security Alejandro Mayorkas delivered the report to President Joe Biden.
- Yet, Log4j is an "endemic vulnerability," likely to persist for years or even decades, the review board said. "The Log4j event is not over."
- Mitigating the vulnerability sucked up resources and contributed to burnout, the report said. As an example of the sheer time investment, one federal cabinet department spent 33,000 hours responding to Log4j across its networks.
Log4j, which the review board exemplified as a "once-in-a-generation security event," is a perfect storm for businesses. The short line of code that comprises the Java-based logging utility nestles into open source software, making it hard to track.
The vulnerability made it easy for threat actors to take control of compromised systems, and, since it was so difficult to spot without a comprehensive Log4j "customer list," organizations struggled to identify and remediate it, according to the board.
What made the vulnerability particularly disruptive is that a third party disclosed the flaw before the Apache Software Foundation, which supports Log4j, could create a fix, the review board said. A race between threat actors and companies to exploit or fix the vulnerability ensued.
Log4j highlighted how the open source community, often composed of volunteers, has inherent risks stemming from resource constraints. In response, the board called for public and private sector stakeholders to create a hub of centralized resources to better support the open source community.
The board's recommendations echo what the security industry has taken up as a battle cry in the last year: the software industry needs to change to create a better model of vulnerability management.
The problem is, reworking the technology ecosystem will require long-term changes and investments in people and technology. But companies, at a time where people pay a premium for innovation, cannot slow their development.
Industry is trying, however. Technology companies have pledged $150 million in the next two years to help shore up open source security. The review board, which the Department of Homeland Security launched in February, is an example of a public-private partnership built to review and assess significant security events, offering recommendations for how the public can respond. The Log4j report marks the board's first published security incident review.