Security Experts Discuss Log4j Mitigation Before US SenateApache Software Foundation President Comments on Future of Open Source
In a U.S. Senate hearing on Tuesday, the Apache Software Foundation and leaders from Cisco, Palo Alto Networks' Unit 42, and the think tank The Atlantic Council discussed open-source software security, urging both government and private sector entities to recognize the breadth of the free-to-use software and adversaries' willingness to exploit it.
In a hearing entitled "Responding to and Learning from the Log4Shell Vulnerability," witnesses outlined immediate Log4j mitigation efforts, subsequent scanning and exploitation and industry's now-heightened collaboration with the federal government, particularly through the Cybersecurity and Infrastructure Security Agency's information-sharing forum, the Joint Cyber Defense Collaborative.
The widespread flaw in the Java-based logging utility Log4j, which can be exploited to remotely execute code, was first reported on Dec. 9, 2021, after allegedly being detected by Alibaba's cloud security unit. The Apache Software Foundation subsequently issued semi-regular updates for the logging library.
Other items discussed include a renewed push for incident reporting requirements and the state of affairs with the Russia-Ukraine conflict, particularly around threats to Ukraine's critical infrastructure.
Witnesses included David Nalley, president of the Apache Software Foundation; Brad Arkin, senior vice president and chief security and trust officer at Cisco Systems Inc.; Jen Miller-Osborn, deputy director of threat intelligence, Unit 42, Palo Alto Networks; and Trey Herr, director of the Cyber Statecraft Initiative at the Scowcroft Center for Strategy and Security, with The Atlantic Council, a nonpartisan think tank headquartered in Washington, D.C.
Opening the session, Sen. Gary Peters, D-Mich., the committee chairman, said, "The potential impact of this software vulnerability is immeasurable. And it leaves everything from our critical infrastructure such as banks and power grids to government agencies open to network breaches. … I remain concerned that we may never know the full scope and impacts of this vulnerability or the risk posed to our networks."
Sen. Rob Portman, R-Ohio, the committee's ranking member, said of Log4j: "We've learned that fixing this vulnerability is not as easy as just putting out a one-size-fits-all patch. Vendors who use this vulnerable code will have to issue their own patches for their own products, making the response even more complicated and time-consuming."
Apache Software Foundation's Nalley told lawmakers that as of mid-January, roughly 30% of all downloads were for a vulnerable version of Log4j - which equates to 10,000 vulnerable downloads per hour.
The Atlantic Council's Herr advised the committee to consider standing up a "purpose-built open-source security organization" within the federal government - an entity that could serve as a point of contact for the community.
Incident Reporting Legislation
In the hearing, the committee leaders quickly shifted to incident reporting requirements, which they say could help alleviate some vulnerability concerns.
Peters touted a bipartisan bill that would require critical infrastructure providers to report cyberattacks within 72 hours and any ransom payments within 24 hours. The measure - which was scrapped from the National Defense Authorization Act for fiscal year 2022 - has been reintroduced, and Peters aims for prompt consideration among the full Senate.
The proposal, entitled the Strengthening American Cybersecurity Act, comes as part of a legislative package with other measures that advanced out of committee, including a modernization to the Federal Information Security Modernization Act.
Peters urged his colleagues to pass the "landmark legislation," which will "help our lead cybersecurity agency better understand the scope of attacks, including vulnerabilities like Log4j, to warn others of the threat, prepare for potential impacts, and help affected entities respond and recover."
In his testimony, Nalley, who heads the public benefit charity established in 1999, confirmed that once the vulnerability was disclosed, "Apache's security team immediately got to work addressing [it]."
He stated: "I am proud of how the ASF security team and many others responded and remediated this threat. We acted quickly in accordance with practices that we have adopted over many years of supporting a diverse set of open-source projects."
Nalley also testified that a software bill of materials, or SBOM, which essentially catalogs all software components, "can mitigate the impact [of similar vulnerabilities] by accelerating the identification of potentially vulnerable software."
"I submit that software developers, open-source communities and federal policymakers should face [this issue] head-on together, with determination and the vigilance that it demands," he said.
Cisco's Arkin said, "Together, we need to further improve baselines for software security, including open-source software. We collectively need to improve our speed and efficiency and finding and fixing problems when they arise."
Miller-Osborn, of Palo Alto Networks, told lawmakers: "If you don't see your digital footprint through the eyes of the adversary, then your security baseline is inherently incomplete. Since you can't secure what you can't see, your ability to respond to any vulnerability, whether it is the sophistication of Log4j or not, is more elementary."
She praised the efforts of the recently launched JCDC, which she said provided a body to allow for cross-sector and even competitor collaboration.
The Atlantic Council's Herr called Log4j a "crack in the foundation of our software infrastructure." He tasked the U.S. government with becoming "a better partner for open-source communities and [to] invest in shared infrastructure."
Cisco Patching Log4Shell
Discussing Cisco's experience with Log4j, Arkin told lawmakers that the company first worked to get the most up-to-date information to customers.
"For our on-premises products, it's up to our customers to then take that and apply it within the patch maintenance windows that they have according to their risk profile of how the technology is deployed in their environment," Arkin said. "And that's not something we track; it's something that we make available to the customers."
In some cases, he said, the instance of Log4j was bundled in a larger component upstream from Cisco. In those cases, Cisco had to understand where Log4j exists - as part of the active code path or as a dormant section, he said.
"We got the information about Log4j Thursday night, which I think was Dec. 9," Arkin told the committee. "And then by the weekend, we had a good picture of where we thought Log4j was relevant within the code base."
Then, within 72 hours, Arkin testified, Cisco had a "good sense of where we needed to make changes within the code," and said the company was already patching within 72 hours.
On Log4j's global impact, Unit 42's Miller-Osborn told the committee that her team is seeing "active campaigns targeting entities in Ukraine over the past 90 days … likely for the purpose of espionage."
"It's clear this vulnerability has exposed potentially thousands of organizations to cybercriminals and foreign adversaries, some of whom I think we've already seen take advantage of this, including reports that the Russian Federation has exploited Log4jShell to attack Ukrainian systems," Peters said.
While coin-mining exploits have been the most common with Log4j, Miller-Osborn said there have been instances of ransomware and warned that "mass scanning" and adoption into internet of things botnets means "this vulnerability is never going to die."
The Apache Software Foundation's Nalley told senators that his organization has "observed no indication that [Log4j] was exploited before it was disclosed to us."
"We've gone back and looked to see whether automated tools could have detected this vulnerability," he said. "And we've come to the conclusion that none of the automated tools on the market today would have done so."