After Log4j, the White House fears the next major open source vulnerability
The White House is holding a meeting today with Apache, Google, Apple, Amazon, and other major tech organizations to discuss the security of open source software and tools. This comes as a result of a Log4j vulnerability that has caused waves of panic worldwide since its discovery in December.
White House National Security Adviser Jake Sullivan called the meeting in December, noting in a letter to the companies that it was "a matter of national security concern" that open source software would be installed. maintained by volunteers.
The meeting, led by White House director of cybersecurity Anne Neuberger, includes officials from companies such as IBM, Microsoft Corp, Meta, Linux, and Oracle as well as government agencies such as the Department of Defense and the Security Agency. Cybersecurity and Infrastructure (CISA).
Chris Inglis, National Director of Cyber, said On Thursday, the situation surrounding Log4j "emphasized the need to improve the security of our software and the transparency of our software supply chain."
The Apache Software Foundation, which runs Log4j and is run by volunteers, released a series of pre - meeting documents outlining their position and efforts to maintain their vulnerability. Some of the documents offer insightful protection for the organization's response to the crisis, calling Log4j “an unfortunate combination of independently designed features within the Java platform. ”
Apache noted that they have several hundred open source projects and monitor 227 million lines of code.
At a press conference this week, CISA director Jen East and CISA deputy executive director for cybersecurity Eric Goldstein told reporters that they had not seen "high-profile breaches or attacks" related to Log4J's side vulnerabilities. outside the attack on the Belgian Ministry of Defense. .
“This may be true as solemn enemies have already used this vulnerability to exploit targets and are just waiting to accelerate their new reach until network defenders on lower alert. of open source software vulnerabilities discovered in March of that year, ”said Eastly.
East said, thanks to Log4j, that CISA is accelerating its efforts to create a "software bill of materials" (SBOM) and noted that it has recently hired Alan Friedman brief, who previously led cybersecurity and SBOM efforts at the Department of Commerce. Friedman is now working on coordinating SBOM efforts inside and outside the U.S. government.
Eastly and Goldstein announced a White House meeting today as part of their effort to address open source security issues.
“We prioritize support and transparency for developers and curators of these unique libraries and components. We are taking a priority approach, recognizing the ubiquity of these components and that they are now so widely used across technological environments. attention, focus and investment, which will be reflected in better security, "Goldstein said.
Goldstein noted that even though they have not seen any major attacks, cyber criminals have been scanning and exploiting Log4Shell which is widely used to install cryptomining software on victims 'computers or to capture victims' computers for use in botnets.
Steve Povolny, head of advanced threat analysis for McAfee Enterprise, told ZDNet that there have already been three different versions of the Log4j vulnerability, raising concerns about the broader issues with similar devices. While not intending to reiterate Log4j's vulnerability, he cited recent research on JNDI issues as an example of how widespread concerns about Log4j have led to other issues being discovered.
“What you are seeing here is a pattern going back 20 years, which I call the running of an ambulance, and it is, in fact, a very effective way of eliminating vulnerabilities. All of a sudden, the research industry is finding the new target of interest because it's sexual and it's temporal, "he said.
"But it turns out that it's a great way to put the same kind of vulnerability in the same project and results or the same thing."