Cyber Safety Review Board States Log4j Vulnerabilities Endemic and Will Continue for Years

The Cyber Safety Review Board (CSRB), created by President Biden in February 2022, has released a report about the Log4j vulnerability (CVE-2021-44228) and related vulnerabilities that were found in late 2021. The vulnerabilities impact Log4j, the open source Java-based logging tool. CSRB states that they are very prevalent and will probably stay in a lot of systems for a long time.

The Log4j vulnerability could be exploited remotely to do code execution on susceptible systems and was designated a maximum CVSS severity score of 10 out of 10. Based on the report, the vulnerabilities are considered one of the most serious to be identified in the past few years.

The CSRB consists of 15 cybersecurity heads from the private industry and government and was designated to conduct reviews of big cybersecurity occurrences and make suggestions for bettering public and private segment cybersecurity. The Log4J vulnerability report is the first to be publicized by the CSRB.

According to Secretary of Homeland Security Alejandro N. Mayorkas, the country’s cybersecurity is at a critical juncture, as the ability to deal with risk is not keeping pace with developments in the digital space. Thus, the Cyber Safety Review Board is an institution seeking to improve cyber resilience in unprecedented means. The CSRB’s first-of-its-kind evaluation has provided the government and the industry with clear, actionable advice that DHS can help put into action to reinforce cyber resilience and enhance the public-private relationship that is so essential to collective security.

For the Log4j vulnerability evaluation, the CSRB engaged with about 80 organizations to have a knowledge of how the vulnerability is being mitigated, so as to develop actionable recommendations to avoid and successfully respond to future incidents similar to this.

The report is divided into three sections, offering factual details regarding the vulnerability and what took place, the results and conclusions according to the evaluation of the information, and a list of suggestions. The 19 actionable recommendations are split into four categories: Deal with the ongoing threats from theLog4j vulnerabilities; drive current best practices for safety hygiene; create a better software system; and investments in the future.

One of the most crucial recommendations is to make and keep an accurate IT asset inventory, as vulnerabilities cannot be resolved if it is unfamiliar where the vulnerabilities are found. It is important to have a complete software bill of materials (SBOM) that has all third-party software parts and dependencies utilized in software solutions. One of the greatest issues with dealing with the Log4j vulnerabilities is understanding which products were affected. The report additionally suggests that enterprises develop a vulnerability response plan and a vulnerability disclosure and handling process and recommends the U.S. government to inspect whether a Software Security Risk Assessment Center of Excellence is practical.

This is the first time the industry and government cyber leaders joined together like this to evaluate serious incidents, find out what happened, and advise the entire community on how to do much better later on.