The disclosure of a series of vulnerabilities in log4j led to many frantic weeks as cybersecurity researchers and defenders sought to stem attacks. In this paper, MITRE recommends actions to address the challenges of what we describe as “endemic vulnerabilities."
Log4shell and Endemic Vulnerabilities in Open Source Libraries
The recent disclosure of a series of vulnerabilities in log4j, and their subsequent widespread exploitation, led to many frantic weeks as cybersecurity researchers and defenders sought to stem attacks using this vulnerability. One factor that contributed to the magnitude of the exploit’s impact was the degree to which the log4j libraries had been incorporated into numerous software products and projects, which meant that many software products were vulnerable. The number of impacted products, coupled with challenges in applying fixes, mean the log4j vulnerability (known as log4shell) will remain in the global software ecosystem for a long time.
We use the phrase “endemic vulnerability” to describe this situation, where a vulnerability continues to be found and exploited across the global internet within old and new software products long after it has been identified and patches made available. Stakeholders across the software development community, tech industry, and government must act to address and operate in an internet with endemic risks.
Open source software underlies many everyday technology products that we rely on and take for granted, often in ways that are subtle or invisible to users. Open source software libraries are used in many places: by for-profit firms as components of commercially marketed hardware, software, and services, as well as for in-house, custom-developed software used by governments and companies. While this accelerates innovation, any vulnerabilities in these libraries create the conditions for endemic vulnerabilities that pose long-term risks.
In this paper, MITRE recommends the following actions to address the challenges of endemic vulnerabilities:
- The U.S. government should identify and provide resources to improve critical open source software technology through accessible grant programs that focus on security through collaboration and cooperation with open source software projects.
- The software industry and companies procuring software-based solutions should adopt technologies such as Software Bill of Materials to improve transparency of what software libraries their products use and depend upon. This allows developers and users to more quickly identify and respond to vulnerabilities
in underlying software components.
- IT enterprises should harden their networks with layered defenses and adopt an “assume breach” mentality. These actions should include outbound network filtering, micro-segmentation strategies derived from zero trust architectures, improved monitoring, and exercising of vulnerability and incident response procedures.
While these steps will not eliminate the presence of endemic vulnerabilities in the software ecosystem, they will help reduce such vulnerabilities and help enterprises to operate more safely in their presence.