In May 2021, President Biden established the Cyber Safety Review Board (CSRB) to review major cyber incidents and make recommendations where necessary. The CSRB has recently released their first report, a Review of the December 2021 Log4j Event.
According to the report, “Apache Log4j is an open source Java-based logging framework that collects and manages information about system activity. […] A vulnerability in such a pervasive and ubiquitous piece of software has the ability to impact companies and organizations (including governments) all over the world.”
In November 2021, a vulnerability to Log4j was reported to the Apache Software Foundation. In December 2021, before the issue was resolved, the vulnerability was published online, creating the possibility for users to perpetrate malicious acts, such as denial-of-service (DoS) attacks or the extraction of sensitive data.
The CSRB’s review provides an account of the Log4j event, outlining their findings, conclusions, and recommendations.