Nuclear-grade Log4j vulnerabilities remain prevalent and have ongoing impact

Log4j “nuclear-grade” vulnerability Log4Shell may affect the world forever.

The U.S. Department of Homeland Security (DHS) Cybersecurity Review Board (CSRB) recently released its investigative report in response to last year’s Log4Shell vulnerability.

The CSRB is an agency established by DHS only this February to investigate major cybersecurity incidents and provide reports containing recommendations to enhance the nation’s cybersecurity. The CSRB’s first investigation was into the “nuclear-grade” vulnerability that erupted in Log4j last year.

csrb.png

The report notes that while there is no indication of a major cyber attack due to the Log4j vulnerability, it will still be “exploited for years to come.” Deputy Secretary of Homeland Security Rob Silvers also stated, “The Log4j vulnerability is one of the most serious software vulnerabilities in history.”

The CSRB board mentioned that, surprisingly, the Log4j vulnerability has been less exploited than experts had expected. They also spoke of the fact that no major Log4j attacks have been identified against critical infrastructure systems, but there are a number of cyber attacks that are not mentioned in the report.

The board said future attacks are likely to emerge in large part because Log4j is often embedded in other software, making it difficult for enterprises to detect it running on their systems due to indirect dependencies. They made a number of recommendations for mitigating the impact of the Log4j vulnerability and for improving cybersecurity in general, including a recommendation that universities and community colleges make cybersecurity training a required part of computer science degrees and certification programs.

According to sonatype’s statistics, the vulnerable Log4j version on Maven Central still gets over 100,000 downloads per business day.

statistics.png