Log4j and Lessons Not Learned

A year ago, CISA chief Jen Easterly described the Log4j vulnerability as "one of the most serious that I've seen in my entire career,” says Danny Palmer at ZDNet

In response to the danger, many updates and fixes were quickly issued to help secure systems. But, a year later, writes Palmer, Log4j remains a threat because many organizations have yet to apply those updates.  

Just last month, “CISA and the FBI put out a security alert, warning that if organizations hadn't yet patched or mitigated Log4j vulnerabilities, they should assume their network is compromised and act accordingly,” Palmer says.

In fact, a recent study from Tenable found that 72 percent of organizations remain vulnerable to the Log4j (or Log4Shell) vulnerability as of October 1, 2022, reports Shannon Williams.

Ongoing Remediation

"Full remediation is very difficult to achieve for a vulnerability that is so pervasive, and it’s important to keep in mind that vulnerability remediation is not a one and done process,” explains Bob Huber, Tenable’s Chief Security Officer. “While an organization may have been fully remediated at some point, as they have added new assets to their environments, they are likely to encounter Log4Shell again and again.”

Additionally, Palmer notes, “cyber criminals don't forget about old security flaws and vulnerabilities — and as long as Log4j instances remain unmitigated, they'll be targeting them.” 

See also:
Cyber Safety Report Outlines Software Security Best Practices
How SBOMs Strengthen the Software Supply Chain
The Log4j Vulnerability: What You Still Need to Know

Ready to find a job?
Check out the latest job listings at Open Source JobHub.

FOSSlife Newsetter