Log4j software flaw ‘endemic,’ new cyber safety panel says

Jul 13, 2022, 8:25 PM | Updated: Jul 14, 2022, 8:47 am
FILE - The Department of Homeland Security logo is seen during a news conference in Washington, Feb...

FILE - The Department of Homeland Security logo is seen during a news conference in Washington, Feb. 25, 2015. A new cybersecurity panel created by President Joe Biden says a computer vulnerability discovered last year in a ubiquitous piece of software is an "endemic" problem that will pose security risks for potentially a decade or more. The Cyber Safety Review Board said in a new report Thursday that while there hasn't been sign of any major cyberattack due to the Log4j flaw, it will still "be exploited for years to come." The Log4j flaw was first made public late last year. (AP Photo/Pablo Martinez Monsivais, File)

(AP Photo/Pablo Martinez Monsivais, File)

A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.

The Cyber Safety Review Board said in a report Thursday that while there hasn’t been sign of any major cyberattack due to the Log4j flaw, it will still “be exploited for years to come.”

“Log4j is one of the most serious software vulnerabilities in history,” the board’s chairman, Department of Homeland Security Under Secretary Rob Silvers, told reporters Wednesday.

The Log4j flaw, made public late last year, lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

The flaw’s discovery prompted urgent warnings by government officials and massive efforts by cybersecurity professionals to patch vulnerable systems.

The board said Thursday that “somewhat surprisingly” the exploitation of the Log4j bug had occurred at lower levels than experts predicted. The board also said that it was unaware of any “significant” Log4j attacks on critical infrastructure systems but noted that some cyberattacks go unreported.

The board said future attacks are likely in large part because Log4j is routinely embedded with other software and can be hard for organizations to find running in their systems.

“This event is not over,” Silvers said.

Log4j, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.

A security researcher at the Chinese tech giant Alibaba notified the foundation on Nov. 24. It took two weeks to develop and release a fix. Chinese media reported that the government punished Alibaba for not reporting the flaw earlier to state officials.

The board said Thursday it found “troubling elements” with the Chinese government’s policy toward vulnerability disclosures, saying it could give Chinese state hackers an early look at computer flaws they could use for nefarious means like stealing trade secrets or spying on dissidents. The Chinese government has long denied wrongdoing in cyberspace and told the board that it encourages improved information sharing on software vulnerabilities.

The board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally. That includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programs.

The Cyber Safety Review Board is modeled after the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order Biden signed last May. The 15-member board is made up of FBI, National Security Agency and other government officials as well as people from the private sector. Some supporters of the new board criticized DHS for taking so long to get it up and running.

Biden’s executive order directed the board to conduct its first review on the massive Russian cyber espionage campaign known as SolarWinds. Russian hackers were able to breach several federal agencies, including accounts belonging to top cybersecurity officials at DHS, though the full fallout from that campaign is still unclear.

Silvers said DHS and the White House agreed that reviewing the Log4j flaw was a better use of the new board’s expertise and time.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

FILE — Pro-union pins sit on a table during a watch party for Starbucks' employees union election...
Associated Press

Starbucks asks labor board to halt union votes temporarily

Starbucks on Monday asked the National Labor Relations Board to temporarily suspend all union elections at its U.S. stores, citing allegations from a board employee that regional NLRB officials improperly coordinated with union organizers. In a letter to the board chairman and other officials, Starbucks said the unnamed career NLRB employee informed the company about […]
18 hours ago
FILE - Medicals students display images of deposed Myanmar leader Aung San Suu Kyi during a street ...
Associated Press

UN envoy travels to strife-torn Myanmar for the first time

UNITED NATIONS (AP) — The U.N. special envoy for Myanmar traveled to the Southeast Asian nation Monday for the first time since she was appointed to the post last October. The trip by Nellen Heyzer followed the U.N. Security Council’s latest call for an immediate end to all forms of violence and unimpeded humanitarian access […]
18 hours ago
FILE - Recording artist A$AP Rocky attends the premiere for "Stockholm Syndrome," during the 20th T...
Associated Press

Rapper A$AP Rocky charged with felony assault with a firearm

LOS ANGELES (AP) — Rapper A$AP Rocky was charged with two felonies Monday for pulling a gun on a former friend and firing in Hollywood last year, prosecutors said. The Los Angeles County District Attorney’s Office charged the 33-year-old New York native, whose legal name is Rakim Athelaston Mayers, with two counts of assault with […]
18 hours ago
Associated Press

Colorado man shoots, kills bear after it entered his home

DENVER (AP) — A Colorado man had a rude awaking early Saturday morning when a roughly 400-pound (181-kilogram) bear flipped the lever doorknob to his home and rummaged through some dog food, Colorado Parks and Wildlife officials said Monday. The homeowner, Ken Mauldin, grabbed a gun and shot the bear multiple times until it collapsed […]
18 hours ago
Associated Press

Illegal border crossings fall in July but remain high

WASHINGTON (AP) — Migrants were stopped fewer times at the U.S. border with Mexico in July than in June, authorities said Monday, a second straight monthly decline. Flows were still unusually high, particularly among nationalities less affected by Title 42, a pandemic-era rule that denies migrants legal rights to seek asylum on grounds of preventing […]
18 hours ago
FILE - Law enforcement personnel escort the Trump Organization's former Chief Financial Officer All...
Associated Press

Trump Org. CFO expected to plead guilty in NY tax case

NEW YORK (AP) — Donald Trump’s longtime finance chief is expected to plead guilty as soon as Thursday in a tax evasion case that is the only criminal prosecution to arise from a long-running investigation into the former president’s company, three people familiar with the matter told The Associated Press. Trump Organization CFO Allen Weisselberg […]
18 hours ago

Sponsored Articles

Work at Zum Services...

Seattle Public Schools announces three-year contract with Zum

Seattle Public Schools just announced a three-year contract with a brand-new company to the Pacific Northwest to assist with their student transportation: Zum.
Swedish Cyberknife 900x506...

June is Men’s Health Month: Here’s Why It’s Important To Speak About Your Health

According to the Centers for Disease Control and Prevention, men in the United States, on average, die five years earlier than women.
...

Anacortes – A Must Visit Summertime Destination

While Anacortes is certainly on the way to the San Juan Islands (SJI), it is not just a destination to get to the ferry… Anacortes is a destination in and of itself!
...

Ready for your 2022 Alaskan Adventure with Celebrity Cruises?

Celebrity Cruises SPONSORED — A round-trip Alaska cruise from Seattle is an amazing treat for you and a loved one. Not only are you able to see and explore some of the most incredible and visually appealing natural sights on the planet, but you’re also able to relax and re-energize while aboard a luxury cruise […]
...

Compassion International Is Determined to ‘Fill’ a Unique Type of Football ‘Stadium’

Compassion International SPONSORED — During this fall’s football season—and as the pandemic continues to impact the entire globe—one organization has been urging caring individuals to help it “fill” a unique type of “stadium” in order to make a lasting difference in the lives of many. Compassion International’s distinctive Fill the Stadium (FtS, fillthestadium.com) initiative provides […]
...

What are the Strongest, Greenest, Best Windows?

Lake Washington Windows & Doors SPONSORED — Fiberglass windows are an excellent choice for window replacement due to their fundamental strength and durability. There is no other type of window that lasts as long as fiberglass; so why go with anything else? Fiberglass windows are 8x stronger than vinyl, lower maintenance than wood, more thermally […]
Log4j software flaw ‘endemic,’ new cyber safety panel says