Log4j software flaw ‘endemic,’ new cyber safety panel says

Jul 14, 2022, 8:25 AM | Updated: 8:59 am

A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.

The Cyber Safety Review Board said in a report Thursday that while there hasn’t been sign of any major cyberattack due to the Log4j flaw, it will still “be exploited for years to come.”

“Log4j is one of the most serious software vulnerabilities in history,” the board’s chairman, Department of Homeland Security Under Secretary Rob Silvers, told reporters Wednesday.

The Log4j flaw, made public late last year, lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

The flaw’s discovery prompted urgent warnings by government officials and massive efforts by cybersecurity professionals to patch vulnerable systems.

The board said Thursday that “somewhat surprisingly” the exploitation of the Log4j bug had occurred at lower levels than experts predicted. The board also said that it was unaware of any “significant” Log4j attacks on critical infrastructure systems but noted that some cyberattacks go unreported.

The board said future attacks are likely in large part because Log4j is routinely embedded with other software and can be hard for organizations to find running in their systems.

“This event is not over,” Silvers said.

Log4j, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.

A security researcher at the Chinese tech giant Alibaba notified the foundation on Nov. 24. It took two weeks to develop and release a fix. Chinese media reported that the government punished Alibaba for not reporting the flaw earlier to state officials.

The board said Thursday it found “troubling elements” with the Chinese government’s policy toward vulnerability disclosures, saying it could give Chinese state hackers an early look at computer flaws they could use for nefarious means like stealing trade secrets or spying on dissidents. The Chinese government has long denied wrongdoing in cyberspace and told the board that it encourages improved information sharing on software vulnerabilities.

The board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally. That includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programs.

The Cyber Safety Review Board is modeled after the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order Biden signed last May. The 15-member board is made up of FBI, National Security Agency and other government officials as well as people from the private sector. Some supporters of the new board criticized DHS for taking so long to get it up and running.

Biden’s executive order directed the board to conduct its first review on the massive Russian cyber espionage campaign known as SolarWinds. Russian hackers were able to breach several federal agencies, including accounts belonging to top cybersecurity officials at DHS, though the full fallout from that campaign is still unclear.

Silvers said DHS and the White House agreed that reviewing the Log4j flaw was a better use of the new board’s expertise and time.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

This photo provided by Robert Wilkes, owner of a house boat management company, shows smoke rising ...

Associated Press

Houseboats catch fire while docked at Wahweap Marina on Lake Powell

More than half a dozen house boats momentarily caught fire at a popular boating destination on the Utah-Arizona line on Friday.

3 days ago

File - Women work in a restaurant kitchen in Chicago, Thursday, March 23, 2023. On Friday, the U.S....

Associated Press

US hiring, unemployment jump in May and what that says about the economy

The nation’s employers stepped up their hiring in May, adding a robust 339,000 jobs, well above expectations.

3 days ago

(Pixabay Photo)...

Associated Press

Oath Keeper from Arizona sentenced for role in Jan. 6 riot at US Capitol

Edward Vallejo, a U.S. Army veteran from Phoenix, oversaw a “Quick Reaction Force” at a Virginia hotel that was prepared to deploy an arsenal of weapons into Washington if needed, authorities say.

4 days ago

FILE - U.S. Border Patrol Chief Raul Ortiz listens during a news conference, Jan. 5, 2023, in Washi...

Associated Press

US Border Patrol chief is retiring after seeing through end of Title 42 immigration restrictions

The head of the U.S. Border Patrol announced Tuesday that he was retiring, after seeing through a major policy shift that seeks to clamp down on illegal crossings at the U.S.-Mexico border following the end of Title 42 pandemic restrictions.

5 days ago

FILE - President Joe Biden talks with House Speaker Kevin McCarthy of Calif., on the House steps as...

Associated Press

House OKs debt ceiling bill to avoid default, sends Biden-McCarthy deal to Senate

The House approved a debt ceiling and budget cuts package late Wednesday, as President Joe Biden and Speaker Kevin McCarthy assembled a bipartisan coalition of centrist Democrats and Republicans against fierce conservative blowback and progressive dissent.

5 days ago

Sean Bickings (Family Photo via city of Tempe)...

Associated Press

Family of man who drowned last year in Tempe Town Lake files wrongful death lawsuit

The family of a man who drowned in Tempe Town Lake a year ago filed a wrongful death lawsuit against the city Wednesday, noting that its police department doesn't have a policy requiring officers to go into the water to save someone.

5 days ago

Sponsored Articles

...

SANDERSON FORD

Thank you to Al McCoy for 51 years as voice of the Phoenix Suns

Sanderson Ford wants to share its thanks to Al McCoy for the impact he made in the Valley for more than a half-decade.

(Photo: OCD & Anxiety Treatment Center)...

OCD & Anxiety Treatment Center

Here’s what you need to know about OCD and where to find help

It's fair to say that most people know what obsessive-compulsive spectrum disorders generally are, but there's a lot more information than meets the eye about a mental health diagnosis that affects about one in every 100 adults in the United States.

...

Day & Night Air Conditioning, Heating and Plumbing

Company looking for oldest air conditioner and wants to reward homeowner with new one

Does your air conditioner make weird noises or a burning smell when it starts? If so, you may be due for an AC unit replacement.

Log4j software flaw ‘endemic,’ new cyber safety panel says