According to the Cyber Safety Review Board, attackers are exploiting Log4j vulnerability, albeit at a lower level than experts predicted.<\/p>\n
The review board described the Log4j vulnerability as an “endemic vulnerability” that is likely to persist or even persist for decades.<\/p>\n
Log4j is undoubtedly difficult to track because the short line of code that makes up the Java-based utility is embedded in open source software.<\/p>\n
The board found that successful exploitation of the Log4j vulnerability gives attackers access to compromised systems. Moreover, because it was so difficult to detect without a comprehensive Log4j “customer list,” organizations struggled to identify and fix them.<\/p>\n
The vulnerability is complicated because it was disclosed by a third party just before the Apache Software Foundation could issue a fix to address the vulnerability, giving attackers ample time to exploit the vulnerability.<\/p>\n
The board therefore urges the software industry to develop a better model for vulnerability management. Log4j has also highlighted the risks associated with the open source community, which result from resource constraints.<\/p>\n
While the solution will take some time to take effect, technology companies are also increasingly addressing the issue, with US$150 million pledged over the next two years to help strengthen open source security.<\/p>\n