Log4J Bug Still a Major Risk
Last December, we discussed the recently disclosed Log4j vulnerability – a severe exploit that resided within the Java programming language. It was described at the time as perhaps the most serious vulnerability seen by the U.S. Cybersecurity and Infrastructure Security Agency, due to the countless applications that used the Log4j code. Some even went so far as to call it the worst data breach ever.
New data from the Cyber Safety Review Board (CSRB), established earlier this year, indicates the issue is endemic to Java. As a reminder, the Log4j bug involves remote exploitation to run malicious code and access the system. We wrote at the time that Log4j is used by so many devices around (and even beyond) the world, it would take time to address the compromise. Recognizing the severity, the CSRB now classifies this exploit as one of the most serious in years, with a 10/10 score, and one which will be present for the foreseeable future. As the report states, “The Board predicts that, given the ubiquity of Log4j, vulnerable versions will remain in systems for the next decade, and we will see exploitation evolve to effectively take advantage of the weaknesses.”
Based on its assessments of approximately 80 organizations that have been affected by the bug and taken steps to mitigate it, the CSRB report has compiled its own list of recommendations, which fall under four umbrellas. These include addressing continued Log4j risks, best practices for security hygiene, improving software ecosystems, and investing in the future. If these sound vague on their own, some specifics involve discovering and upgrading vulnerable versions of Log4j; reporting Log4j exploitation to the FBI or CISA; and developing an accurate IT asset and application inventory and response program. If the location of a weakness is not known, after all, it cannot be fixed.
IT staff who have been working on this problem since its discovery will continue to have their hands full with monitoring and remediating the threat of Log4j. For security purposes, encryption continues to be a vital component of protecting your stored data from compromise – a complement to the strategies listed in the report.
(As before, none of our products at NetLib Security use Java or Log4j, and are thus not affected by this exploit.)