Dec 9, 2022 - Technology

One year later, the widespread Log4j threat lingers on

Illustration of a computer mouse with an extremely long cord

Illustration: Sarah Grillo/Axios

Today marks one year since the Apache Software Foundation unveiled a critical vulnerability in Log4j, its popular open-source logging tool, which left millions of devices open to hackers.

The big picture: A year after one of the most widespread security vulnerabilities in recent history was exposed, companies are still wrestling with how to patch the flaw — or with determining if they were affected at all.

  • Log4j, which was created by a group of volunteer coders, tracks user movements across software and online services so developers can easily spot issues and unusual behaviors. It can be found both on products and third-party tools used to build products.
  • Once exploited, the vulnerability in Log4j could give hackers remote control to whatever system is running the code, allowing them to download malicious code or enact other controls.

Threat level: The Log4j vulnerability continues to pose a high risk to the vast majority to affected companies, according to recent reports.

  • Ransomware actors and state-sponsored actors have targeted the flaw throughout the year. The Cybersecurity and Infrastructure Security Agency warned last month that Iranian hackers had used the Log4j vulnerability to attack a federal agency earlier this year.
  • Cybersecurity firm Tenable estimates that 72% of organizations are likely still vulnerable. And 29% of those that remediated the flaw ended up vulnerable again.
  • Arctic Wolf Labs said this week that Log4j exploitations made up 11% of its incident response cases in 2022, with the average cost for incident response amounting to $90,000.

Between the lines: Many companies don't keep detailed inventory lists of every product and supplier that's in their networks, software supply chain or hardware components — making identifying something as small as Log4j difficult, if not impossible.

  • "There were multiple very large device manufacturers who actually said, 'Hey, we don't have the Log4j vulnerability,' and in fact, they did," said Thomas Pace, co-founder and CEO of firmware security firm NetRise.
  • "I don't think that they were lying; they just didn't know because it's a really hard problem to identify," Pace added.

The intrigue: In the last year, organizations and government officials have poured plenty of resources into strengthening open-source security to prevent future widespread critical security flaws.

  • The Open Source Security Foundation unveiled the Alpha-Omega Project, with funding from Microsoft and Google, to provide more security tools to open-source software developers, who often run their projects in their spare time and lack the resources to stay on top of security flaws.

Yes, but: It's up to companies to put in the work to determine which systems are still running a vulnerable version of Log4j, Mark J. Cox, Apache Software Foundation vice president of security, told Axios.

  • Synack CEO Jay Kaplan told Axios that while some organizations continue to invest resources in sifting through their products to determine where vulnerable versions of Log4j could be, others aren't "taking it seriously."
  • "This reinforces that certain software is critical and ubiquitous enough that it's everywhere and in places that people don't know about," said Dan Lorenc, founder and CEO of supply chain security firm Chainguard. "The unknown unknowns are the ones that are problematic here."

Reality check: Log4j is an "endemic" problem, per a report from the Cyber Safety Review Board at the Department of Homeland Security.

  • "Unfortunately, we're still in a pretty bad place," Kaplan said. "These vulnerabilities are being taken advantage of all over the world. We have to do better."

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper