Major Cyber Bug in Log4j to Persist as ‘Endemic’ Risk for Years to Come, U.S. Government Board Finds

“The Log4j event is not over,” the report said. “The board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”

The findings were the first of their kind to be issued by the Cyber Safety Review Board, a panel of experts from various government agencies and the private sector, and include recommendations for businesses to guard against the Log4j threat. The board, housed within the Department of Homeland Security, was established earlier this year to examine significant cybersecurity events. It is loosely modeled on the National Transportation Safety Board that investigates train derailments and airplane crashes. It is expected to regularly review major national cybersecurity episodes and issue public findings and recommendations.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” said Rob Silvers, a top official at DHS and chairman of the board.

Security researchers uncovered last December a major flaw in Log4j, an open-source software logging tool. It is a widely used piece of free code that logs activity in computer networks and applications.

A patch was quickly made available to address the security hole in Log4j, but updates are frequently ignored by organizations for weeks, months or even years before being installed. The tool is used in products including networking tools, security software and videogame servers and has been downloaded millions of times, according to its developer.

Given the popularity of Log4j and the ease with which hackers can use it to burrow deeply into victims’ computer systems, senior Biden administration officials had warned it was likely one of the most severe cybersecurity vulnerabilities on record.

But such fears have so far not been fully realized, the board found, even as it warned that Log4j could create problems for years.

For example, the board said in its report that it had not found evidence of any “significant Log4j-based attacks on critical infrastructure systems.” It added that exploitation levels had “occurred at lower levels than many experts predicted” but acknowledged limitations with its ability to comprehensively gauge such trends, especially because reporting of cybersecurity problems by companies is often voluntary.

The board also determined that there was no evidence that any hacker took advantage of the flaw before it was publicly revealed by a researcher at the Chinese tech company

Alibaba Group Holding Ltd.

The researcher alerted the software foundation that maintains Log4j. The panel warned, however, that a hack could occur in the future.

The Chinese ministry in charge of technology suspended a cybersecurity partnership with Alibaba’s cloud-computing unit due to the handling of the disclosure, Chinese state media reported at the time. The board said it asked China about the punishment of Alibaba but didn’t receive an answer, and raised concerns about Chinese laws that require companies to disclose vulnerabilities to the government. Such a system could be abused by Chinese state-sponsored hackers who are made aware of flaws first and could exploit them before they are patched, the board said.

“This is a disturbing prospect given the [Chinese] government’s known track record of intellectual property theft, intelligence collection, surveillance of human rights activists and dissidents, and military cyber operations,” the report said.

China has routinely denied Western accusations that it engages in malicious cyber activity.

Write to Dustin Volz at [email protected]