Homeland Security warns: Expect Log4j risks for 'a decade or longer'

2022-07-14 22:59

Organizations can expect risks associated with Log4j vulnerabilities for "a decade or longer," according to the US Department of Homeland Security.

"ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited," Thomas Pace, a former Department of Energy cybersecurity lead and current CEO NetRise, told The Register.

"The board assesses that Log4j is an 'endemic vulnerability' and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains."

The good news is that the report provides 19 recommendations for organizations on how they can address ongoing Log4j risks.

"With Log4j, preventing the entire class of bugs that cause it is going to be hard with today's technology, but stuff like fuzzing and safe-by-default language/library design can help a lot," software supply chain security shop Chainguard CEO Dan Lorenc told The Register.

"The vast majority of modern software development makes use of open source software, including that incorporated across critical infrastructure and global security systems," Brewer told The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/14/dhs_warns_expect_log4j_risks/

#homelandsecurity #log4j #security