AP

Log4j software flaw ‘endemic,’ new cyber safety panel says

Jul 14, 2022, 8:25 AM | Updated: 8:59 am

A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.

The Cyber Safety Review Board said in a report Thursday that while there hasn’t been sign of any major cyberattack due to the Log4j flaw, it will still “be exploited for years to come.”

“Log4j is one of the most serious software vulnerabilities in history,” the board’s chairman, Department of Homeland Security Under Secretary Rob Silvers, told reporters Wednesday.

The Log4j flaw, made public late last year, lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

The flaw’s discovery prompted urgent warnings by government officials and massive efforts by cybersecurity professionals to patch vulnerable systems.

The board said Thursday that “somewhat surprisingly” the exploitation of the Log4j bug had occurred at lower levels than experts predicted. The board also said that it was unaware of any “significant” Log4j attacks on critical infrastructure systems but noted that some cyberattacks go unreported.

The board said future attacks are likely in large part because Log4j is routinely embedded with other software and can be hard for organizations to find running in their systems.

“This event is not over,” Silvers said.

Log4j, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.

A security researcher at the Chinese tech giant Alibaba notified the foundation on Nov. 24. It took two weeks to develop and release a fix. Chinese media reported that the government punished Alibaba for not reporting the flaw earlier to state officials.

The board said Thursday it found “troubling elements” with the Chinese government’s policy toward vulnerability disclosures, saying it could give Chinese state hackers an early look at computer flaws they could use for nefarious means like stealing trade secrets or spying on dissidents. The Chinese government has long denied wrongdoing in cyberspace and told the board that it encourages improved information sharing on software vulnerabilities.

The board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally. That includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programs.

The Cyber Safety Review Board is modeled after the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order Biden signed last May. The 15-member board is made up of FBI, National Security Agency and other government officials as well as people from the private sector. Some supporters of the new board criticized DHS for taking so long to get it up and running.

Biden’s executive order directed the board to conduct its first review on the massive Russian cyber espionage campaign known as SolarWinds. Russian hackers were able to breach several federal agencies, including accounts belonging to top cybersecurity officials at DHS, though the full fallout from that campaign is still unclear.

Silvers said DHS and the White House agreed that reviewing the Log4j flaw was a better use of the new board’s expertise and time.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Arizona will not approve new housing construction on the fast-growing edges of metro Phoenix that r...

Associated Press

Arizona Senate passes plan to manage rural groundwater, but final success is uncertain

A plan to manage rural groundwater passed the Arizona Senate amid concerns about the availability of sufficient water for future generations.

16 hours ago

A woman pauses while shopping at a Kohl's store in Clifton, N.J., Jan. 26, 2024. On Thursday, Feb. ...

Associated Press

Federal Reserve’s preferred inflation gauge picked up last month in sign of still-elevated prices

An inflation gauge favored by the Federal Reserve increased in January, the latest sign that the slowdown in U.S. consumer price increases is occurring unevenly from month to month.

2 days ago

This undated image provided by Mikel Desmond shows his brother Marcus Tessier, who turned up in Dem...

Associated Press

Missing teen with autism found in New Mexico, about 200 miles away from his Arizona home

A missing teen with autism has been found in New Mexico — about 200 miles away from his home in southern Arizona.

2 days ago

A newly released report on last year’s fatal crash involving a pickup truck and a group of bicycl...

Associated Press

Report suggests steering of vehicle that caused fatal Goodyear bicycle crash worked fine

A new report on last year’s fatal Goodyear bicycle crash has cast doubts about the driver’s claim the vehicle’s steering locked up.

3 days ago

Israeli Embassy...

Associated Press

US airman dies after setting himself ablaze outside Israeli Embassy in Israel-Hamas war protest

An active-duty member of the U.S. Air Force has died after he set himself ablaze outside the Israeli Embassy in Washington, D.C.

5 days ago

Biden and Trump to visit Mexico border Thursday immigration...

Associated Press

Biden and Trump both plan trips to the Mexico border Thursday, dueling for advantage on immigration

President Joe Biden and former President Donald Trump will make dueling trips to the U.S-Mexico border on Thursday.

5 days ago

Sponsored Articles

...

DISC Desert Institute for Spine Care

Sciatica pain is treatable but surgery may be required

Sciatica pain is one of the most common ailments a person can face, and if not taken seriously, it could become one of the most harmful.

...

Collins Comfort Masters

Avoid a potential emergency and get your home’s heating and furnace safety checked

With the weather getting colder throughout the Valley, the best time to make sure your heating is all up to date is now. 

...

Canvas Annuity

Interest rates may have peaked. Should you buy a CD, high-yield savings account, or a fixed annuity?

Interest rates are the highest they’ve been in decades, and it looks like the Fed has paused hikes. This may be the best time to lock in rates for long-term, low-risk financial products like fixed annuities.

Log4j software flaw ‘endemic,’ new cyber safety panel says