BEST OF THE WEB

Attackers are still exploiting Log4j flaw, Cyber Review Board warns

According to the Cyber Safety Review Board, attackers are exploiting Log4j vulnerability, albeit at a lower level than experts predicted.

The review board described the Log4j vulnerability as an “endemic vulnerability” that is likely to persist or even persist for decades.

Log4j is undoubtedly difficult to track because the short line of code that makes up the Java-based utility is embedded in open source software.

The board found that successful exploitation of the Log4j vulnerability gives attackers access to compromised systems. Moreover, because it was so difficult to detect without a comprehensive Log4j “customer list,” organizations struggled to identify and fix them.

The vulnerability is complicated because it was disclosed by a third party just before the Apache Software Foundation could issue a fix to address the vulnerability, giving attackers ample time to exploit the vulnerability.

The board therefore urges the software industry to develop a better model for vulnerability management. Log4j has also highlighted the risks associated with the open source community, which result from resource constraints.

While the solution will take some time to take effect, technology companies are also increasingly addressing the issue, with CA$150 million pledged over the next two years to help strengthen open source security.

The sources for this piece include an article in CIODIVE.

IT World Canada Staff
IT World Canada Staffhttp://www.itworldcanada.com/
The online resource for Canadian Information Technology professionals.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web