Log4j software flaw ‘endemic’, US cybersecurity panel says

15 July 2022, 11:13

The Department of Homeland Security logo
Cybersecurity Safety Review Board. Picture: PA

The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by US President Joe Biden.

The Cyber Safety Review Board said in a report on Thursday that while there has not been a sign of any major cyberattack due to the Log4j flaw, it will still “be exploited for years to come”.

“Log4j is one of the most serious software vulnerabilities in history,” the board’s chairman, Department of Homeland Security (DHS) under secretary Rob Silvers, told reporters.

The Log4j flaw, made public late last year, lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

The flaw’s discovery prompted urgent warnings by government officials and massive efforts by cybersecurity professionals to patch vulnerable systems.

The board said on Thursday that “somewhat surprisingly” the exploitation of the Log4j bug had occurred at lower levels than experts predicted.

It also said it was unaware of any “significant” Log4j attacks on critical infrastructure systems but noted that some cyberattacks go unreported.

The board said future attacks are likely in large part because Log4j is routinely embedded with other software and can be hard for organisations to find running in their systems.

“This event is not over,” Mr Silvers said.

Log4j, written in the Java programming language, logs user activity on computers.

Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.

A security researcher at the Chinese tech giant Alibaba notified the foundation on November 24.

It took two weeks to develop and release a fix.

Chinese media reported that the government punished Alibaba for not reporting the flaw earlier to state officials.

A laptop user
The Cyber Safety Review Board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally (Tim Goode/PA)

The board said on Thursday it found “troubling elements” with the Chinese government’s policy towards vulnerability disclosures, saying it could give Chinese state hackers an early look at computer flaws they could use for nefarious means such as stealing trade secrets or spying on dissidents.

The Chinese government has long denied wrongdoing in cyberspace and told the board that it encourages improved information-sharing on software vulnerabilities.

The board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally.

That includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programmes.

The Cyber Safety Review Board is modelled on the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order Mr Biden signed last May.

The 15-member board is made up of FBI, National Security Agency and other government officials as well as people from the private sector.

Some supporters of the new board criticised the DHS for taking so long to get it up and running.

Mr Biden’s executive order directed the board to conduct its first review on the massive Russian cyber espionage campaign known as SolarWinds.

Russian hackers were able to breach several federal agencies, including accounts belonging to top cybersecurity officials at the DHS, though the full fallout from that campaign is still unclear.

Mr Silvers said the DHS and the White House agreed that reviewing the Log4j flaw was a better use of the new board’s expertise and time.

By Press Association

More Technology News

See more More Technology News

Microsoft surface tablets

Microsoft outage still causing ‘lingering issues’ with email

The Google logon on the screen of a smartphone

Google faces £7 billion legal claim over search engine advertising

Hands on a laptop

Estimated 7m UK adults own cryptoassets, says FCA

A teenager uses his mobile phone to access social media,

Social media users ‘won’t be forced to share personal details after child ban’

Google Antitrust Remedies

US regulators seek to break up Google and force Chrome sale

Jim Chalmers gestures

Australian government rejects Musk’s claim it plans to control internet access

Graphs showing outages across Microsoft

Microsoft outage hits Teams and Outlook users

A person holds an iphone showing the app for Google chrome search engine

Apple and Google ‘should face investigation over mobile browser duopoly’

UK unveils AI cyber defence lab to combat Russian threats, as minister pledges unwavering support for Ukraine

British spies to ramp up fight against Russian cyber threats with launch of cutting-edge AI research unit

Pat McFadden

UK spies to counter Russian cyber warfare threat with new AI security lab

Openreach van

Upgrade to Openreach ultrafast full fibre broadband ‘could deliver £66bn boost’

Laptop with a virus warning on the screen

Nato countries are in a ‘hidden cyber war’ with Russia, says Liz Kendall

Pat McFadden

Russia prepared to launch cyber attacks on UK, minister to warn

A Google icon on a smartphone

Firms can use AI to help offset Budget tax hikes, says Google UK boss

Icons of social media apps, including Facebook, Instagram, YouTube and WhatsApp, are displayed on a mobile phone screen

Growing social media app vows to shake up ‘toxic’ status quo

Will Guyatt questions who is responsible for the safety of children online

Are Zuckerberg and Musk responsible for looking after my kids online?