Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years
The Cyber Safety Review Board (CSRB), established by President Biden in February 2022, has published a report on the Log4j vulnerability – CVE-2021-44228 – and associated vulnerabilities that were discovered in late 2021. The vulnerabilities affect the open source Java-based logging tool, Log4j, and, according to CSRB, they are endemic and are likely to be present in many systems for years to come.
The Log4j vulnerability can be exploited remotely to achieve code execution on vulnerable systems and was assigned a maximum CVSS severity score of 10 out of 10. According to the report, the vulnerabilities are among the most serious to be discovered in recent years.
The CSRB includes 15 cybersecurity leaders from the private sector and government and has been tasked with conducting reviews of major cybersecurity events and making recommendations for improving public and private sector cybersecurity. The Log4J vulnerability report is the first to be published by the CSRB since its formation.
“At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”
For the Log4j vulnerability review, the CSRB engaged with almost 80 organizations to gain an understanding of how the vulnerability has been or is still being mitigated, in order to develop actional recommendations to prevent and effectively respond to future incidents such as this.
The report is broken down into three sections, providing factual information on the vulnerability and what happened, the findings and conclusions based on an analysis of the facts, and a list of recommendations. The 19 actionable recommendations are subdivided into four categories: Address the continued risks from theLog4j vulnerabilities; drive existing best practices for security hygiene; build a better software ecosystem; and investments in the future.
One of the most important recommendations is to create and maintain an accurate IT asset inventory, as vulnerabilities cannot be addressed if it is not known where the vulnerabilities exist. It is essential to have a complete software bill of materials (SBOM) that includes all third-party software components and dependencies used in software solutions. One of the biggest problems with addressing the Log4j vulnerabilities is understanding which products were affected. The report also recommends enterprises develop a vulnerability response program and a vulnerability disclosure and handling process and suggests the U.S. government investigate whether a Software Security Risk Assessment Center of Excellence is viable.
“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers.