Log4j flaw: open source is not the problem

After the White House, it’s up to the US Senate to wonder about the long-term impact of the serious vulnerability discovered at the end of last year in the open source software Apache Log4j. “Open source is not the problem,” said Dr. Trey Herr, director of the Cyber ​​Statecraft initiative at the American think tank Atlantic Council specializing in international relations, during a hearing of the commission of the US Senate Homeland Security and Government Affairs Committee this week. “Software supply chain security issues have been of concern to the cybersecurity community for years,” he added.

According to experts, it will take a lot of time and hard work to fix the Log4j flaw and its impact. Thus, Cisco Talos security researchers believe that in the future, Log4j will be heavily exploited, and that users should immediately apply patches to affected products and implement mitigation solutions. Java logging software is widely used in enterprise and consumer services, websites, and applications because it is an easy-to-use tool in client/server application development.

A defense of open source

If exploited, the Log4j flaw provides the ability for an unauthenticated remote actor to take control of an affected server system and gain access to corporate information or trigger a denial of service attack. The Senate committee asked experts to brief it on industry responses and ways to prevent future software exposures. Because the Logj4 flaw affects open source software, experts have spent a lot of time defending the use of open source software in critical platforms. “The Log4j vulnerability, which can be exploited by typing as little as 12 characters, is just one example of the serious threat to national and economic security that can be posed by widespread software vulnerabilities, including those found in code open source, or freely available code developed by individuals,” said committee chair Sen. Gary Peters (D-MI). “In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable, and it puts all of our critical infrastructure, from banks and power grids, to government agencies, at the mercy of network breaches,” the senator added.

Cisco security officer Brad Arkin wanted to defend free software. “I think open source software is not the culprit, as some have suggested, and it would be misguided to suggest that the Log4j vulnerability is evidence of a single flaw or that open source software poses an increased risk. Brad Arkin, Cisco’s senior vice president and chief security officer, told the commission. “The truth is that all software contains vulnerabilities due to errors in design, integration and writing within the competence of human beings”, he further pleaded. “Cisco is a heavy user and active contributor to open source security projects. These efforts are essential and necessary to maintain the integrity of the blocks of code shared between fundamental elements of the IT infrastructure,” said Mr. Arkin. “However, focusing exclusively on the risks posed by open source software could distract us from other important areas where we can address the security risks inherent in all software,” added the senior vice president and chief security officer. from Cisco.

Have a long-term vision and the means of remediation

According to Dr. Herr, of the American think tank Atlantic Council, it is to be expected to discover other similar vulnerabilities. “The Log4j logging program is extremely popular, and fixing its flaws has required considerable effort and widespread public attention, but this is not the last time this type of incident will occur,” Mr. Herr “Among the efforts that the federal government should undertake to improve the security of open source, would be to fund what is ordinary, by providing resources where the industry would not, or in areas where the public shows little interest in making structural improvements to software supply chain security for all developers and maintainers. Better securing software supply chains and open source code is an infrastructure issue, and the same long-term investment model applies.”

In response to Log4Shell and future vulnerabilities, Jen Miller-Osborn, Deputy Director of Threat Intelligence with Unit 42 Security Researchers at Palo Alto Networks, recommended several remediation measures including:

– Automate Compliance with Vulnerability Management Policies: “We commend the Department of Homeland Cybersecurity and Infrastructure Agency for creating and updating a Vulnerability Catalog known exploits, but manually reporting to more than 100 federal civilian agencies is unlikely to stay one step ahead of the adversary.

– Build industry-wide commitment to development security operations: “Awesome work is already being done in this area, but the community would benefit from more widespread adoption of existing development tools to control access to components open-source. These tools can analyze all open source packages to verify their integrity and security before they are approved and authorized by engineering teams for use in products”.

Move to network segmentation and zero trust

Cisco’s Brad Arkin also said implementing secure architectures is key to creating the necessary separation within systems to limit the impact of vulnerabilities and enable rapid recovery and resilience. “Proper segmentation makes it more difficult to move laterally through the network, even though the attacker may gain initial access by exploiting a vulnerability,” Arkin said. “Implementing a zero-trust environment further protects critical data and systems from intrusion and exploitation by ensuring that every attempt to connect to the network and access important data and systems is scrutinized,” a- he added. Mr. Arkin and others said the development of secure software and the zero-trust networking requirements published in an executive order last year are important steps to take, regardless of whether they could have prevented the Log4Shell vulnerability.

“Code errors aren’t going away anytime soon,” said David Nalley, president of the Apache Software Foundation. “The fact is, because software is written by humans, there will always be bugs, and despite best efforts, some software will have security vulnerabilities. Furthermore, because the world is increasingly connected and digital, the number of vulnerabilities will increase, as will the potential consequences,” he added. “There is no easy solution when it comes to software security. The defense must apply in depth. It should cover the upstream development of open source projects, the vendors responsible for integrating those projects, the developers who use the software in custom applications, and even the companies and organizations that deploy those applications to provide critical services to their users,” Mr. Nalley said.