The US Department of Homeland security has warned that the world is likely to be dealing with the fallout from the Log4j vulnerability for a decade or more.
Log4j - also known as Log4shell - is a critical vulnerability in a Java logging library that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems.
After Log4j, the US government asked the Cyber Safety Review Board (CSRB), established in February of this year, to report on Log4j as its first review.
In its first report [pdf], the CSRB said that despite “significant” resources devoted to mitigating Log4j – one federal cabinet department reportedly spent 33,000 hours on its response – the bug is likely to remain “an endemic vulnerability”.
The report says “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”
Log4j created “an enormous attack surface”, and because the software industry lags in providing “bills of materials” for its products (making it hard to discover whether a particular product used the library), it was hard for response teams to identify if the code was in their systems.
The good news? So far, “the Board is not aware of any significant Log4j-based attacks on critical infrastructure systems."
“Somewhat surprisingly, the Board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability”, the report stated.
The report highlights the importance of mandatory attack reporting, still in its infancy around the world, since “no authoritative source exists to understand exploitation trends across geographies, industries, or ecosystems”, partly because reporting remains mostly voluntary.
Recommendations in the review include continuing to address risks specific to Log4j, improving security hygiene, improving the software ecosystem, and continued investment in security.