According to the Cyber Safety Review Board, attackers are exploiting Log4j vulnerability, albeit at a lower level than experts predicted.
The review board described the Log4j vulnerability as an “endemic vulnerability” that is likely to persist or even persist for decades.
Log4j is undoubtedly difficult to track because the short line of code that makes up the Java-based utility is embedded in open source software.
The board found that successful exploitation of the Log4j vulnerability gives attackers access to compromised systems. Moreover, because it was so difficult to detect without a comprehensive Log4j “customer list,” organizations struggled to identify and fix them.
The vulnerability is complicated because it was disclosed by a third party just before the Apache Software Foundation could issue a fix to address the vulnerability, giving attackers ample time to exploit the vulnerability.
The board therefore urges the software industry to develop a better model for vulnerability management. Log4j has also highlighted the risks associated with the open source community, which result from resource constraints.
While the solution will take some time to take effect, technology companies are also increasingly addressing the issue, with CA$150 million pledged over the next two years to help strengthen open source security.
The sources for this piece include an article in CIODIVE.