It has been reported that a major cybersecurity bug detected last year in a widely used piece of software is an “endemic vulnerability” that could persist for more than a decade as an avenue for hackers to infiltrate computer networks, a U.S. government review has concluded. “The Log4j event is not over,” the report said. “The board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.” The findings were the first of their kind to be issued by the Cyber Safety Review Board, a panel of experts from various government agencies and the private sector, and include recommendations for businesses to guard against the Log4j threat.

“Rarely do we get a comprehensive review of the impact and root causes of a cyber incident so quickly after the incident occurred, but that is precisely what we have from the CSRB in their report on Log4Shell and log4j. Open source software is fundamentally managed differently than commercial software, but open source software plays a key role in the success of commercial software. The “long-tail” scenario outlined in the report is one we’ve seen with countless past vulnerabilities, and one that favours attackers since their success is based on having at least one victim who hasn’t patched their systems. Given management of open source software is different than commercial software, and open source powers commercial software, reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software – even if support for that software has ended. With patch management being a challenge at the best of times, to mitigate the risk of unknown open source governance within vendors, software consumers should implement a trust-but-verify model to validate whether the software they’re given doesn’t contain unpatched vulnerabilities.”