After Log4j, White House fears the next big open source vulnerability
The White House is holding a meeting today with Apache, Google, Apple, Amazon, and other major tech organizations to discuss software security and open source tools. This comes in the wake of the Log4j vulnerability that has caused shockwaves throughout the world since it was discovered in December.
more Log4j
White House National Security Advisor Jake Sullivan asked for the meeting in December, noting in a letter to the companies that it was a "national security concern" for foundational open source software to be maintained by volunteers.
The meeting, led by White House cybersecurity leader Anne Neuberger, includes officials from companies like IBM, Microsoft Corp, Meta, Linux, and Oracle as well as government agencies like the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA).
Chris Inglis, National Cyber Director, said on Thursday that the situation around Log4j "has highlighted the need to improve our software security and the transparency of our software supply chain."
The Apache Software Foundation, which manages Log4j and is run by volunteers, released a bevy of documents ahead of the meeting explaining their stance and their efforts to shore up the vulnerability. Some of the documents offer a tacit defense of the organization's response to the crisis, calling Log4j "an unfortunate combination of independently designed features within the Java platform."
Apache noted that they have several hundred open source projects and oversee 227 million lines of code.
During a press conference this week, CISA director Jen Easterly and CISA executive assistant director for cybersecurity Eric Goldstein told reporters that they have not seen any "high-profile breaches or attacks" related to the Log4J vulnerability outside of the attack on the Belgian Defense Ministry.
"This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert. Everybody remembers the Equifax breach that was revealed in September of 2017 was a result of an open-source software vulnerability discovered in March of that year," Easterly said.
Easterly said that as a result of Log4j, CISA is accelerating its efforts to create a "software bill of materials" (SBOM) and noted that they recently hired Allan Friedman, who previously led cybersecurity and SBOM efforts at the Commerce Department. Friedman is now working on coordinating SBOM efforts inside and outside the US government.
Easterly and Goldstein also cited the White House meeting today as part of their effort to address open source security issues.
"We are prioritizing support assistance and transparency to the developers and maintainers of those specific libraries and components. We are taking a prioritized approach, recognizing the ubiquity of these components and that they are now so broadly utilized across technology environments. This vulnerability will catalyze further attention, focus and investment, which will manifest in better security," Goldstein said.
Goldstein noted that even though they have not seen any significant attacks, there has been widespread scanning and exploitation of Log4Shell by cybercriminals who use it to install cryptomining software on victim computers or to capture victim computers for use in botnets.
Steve Povolny, head of advanced threat research for McAfee Enterprise, told ZDNet that there have already been three different iterations of the Log4j vulnerability, prompting concern about the wider issues with similar tools. While he does not expect any more iterations of the Log4j vulnerability, he referenced recent research about JNDI issues as an example of how widespread concern about Log4j has led to other issues being discovered.
"What you see here is a pattern going back 20 years, which I call ambulance chasing, and it's actually a very effective way to weed out similar vulnerabilities. It often happens with the major critical vulnerabilities, where somebody publishes exploit code and all of a sudden, the research industry finds the new target of interest because it's sexy and it's topical," he said.
"But it turns out to be a great way to flush out similar types of vulnerabilities in either the same or tangentially similar project and products."