Just before Christmas 2021, Verdict reported on the discovery of a vulnerability within Log4j. This was described by the UK’s National Cyber Security Center as potentially the most severe cybersecurity vulnerability in years.

Log4j is a Java library for logging error messages in enterprise applications, which includes custom applications, networks, and many cloud computing services. Log4Shell, a zero-day vulnerability in the logging library, allows attackers to remotely execute code and gain access to machines.

Last month, the new Cyber Safety Review Board—a public-private initiative set up by the US Department of Homeland Security to investigate major national cybersecurity incidents to improve US cyber resilience—produced a report on what it called the “December 2021 Log4j Event”, covering how the vulnerability occurred, the events surrounding the December 2021 disclosure of the vulnerability, and the lessons learned from it.

Having no ‘customer list’ hindered defenders

The report made clear that cybersecurity defenders faced a particularly challenging situation with Log4j. The vulnerability impacted virtually every networked organization and the severity of the threat required fast action. The fact that there is no comprehensive ‘customer list’ for Log4j, or even a list of where it is integrated as a sub-system, hindered defenders’ progress. It left both enterprises and software vendors scrambling to discover where they used Log4j.

According to the report, the pace, pressure, and publicity compounded the defensive challenges: security researchers quickly found additional vulnerabilities in Log4j, contributing to confusion and “patching fatigue”; defenders struggled to distinguish vulnerability scanning by bona fide researchers from threat actors; and responders found it difficult to find authoritative sources of information on how to address the issues. This culminated in one of the most intensive cybersecurity community responses in history.

The CSRB found that organizations that responded most effectively to the Log4j event understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and key partners to action.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Some organizations spent massive resources as they struggled with this problem. One US federal cabinet department reported that it had dedicated 33,000 hours to its Log4j vulnerability response to protect the department’s networks. These costs, sustained over many weeks and months, delayed other mission-critical work, including the response to other vulnerabilities.

One of the costs was also human, with the need for an urgent response and the challenges in managing risk contributing to professional burnout among defenders. This may have a long-term impact on the availability of cybersecurity talent, which is already in short supply.

Log4j remains deeply embedded in systems

In its executive summary, the CSRB said that it is not aware of any significant Log4j-based attacks on critical infrastructure systems. It also found that the exploitation of Log4j occurred at lower levels than many experts predicted, given the vulnerability’s severity. 

Such a conclusion was criticized by the chief trust officer at one vendor, who argued in an opinion piece in Dark Reading that given how widely the logging library is used, it is difficult to accept that a significant vulnerability like Log4j did not cause any real damage to critical infrastructures.

The vendor added that the report saying there were no significant incidents was “no reason to drop our guard.” That is important because as the CSRB points out, the Log4j event is not over. The CSRB says Log4j is an “endemic vulnerability” with vulnerable instances of Log4j remaining in systems for perhaps a decade or longer. With community stakeholders continuing to identify new compromises, threat actors, and learnings, the Log4j story has a way to run.