London Daily

Focus on the big picture.
Friday, Aug 22, 2025

Log4j software flaw 'endemic,' new cyber safety panel says

Log4j software flaw 'endemic,' new cyber safety panel says

A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.
The Cyber Safety Review Board said in a report Thursday that while there hasn’t been sign of any major cyberattack due to the Log4j flaw, it will still “be exploited for years to come.”

“Log4j is one of the most serious software vulnerabilities in history,” the board’s chairman, Department of Homeland Security Under Secretary Rob Silvers, told reporters Wednesday.

The Log4j flaw, made public late last year, lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

The flaw’s discovery prompted urgent warnings by government officials and massive efforts by cybersecurity professionals to patch vulnerable systems.

The board said Thursday that “somewhat surprisingly” the exploitation of the Log4j bug had occurred at lower levels than experts predicted. The board also said that it was unaware of any “significant” Log4j attacks on critical infrastructure systems but noted that some cyberattacks go unreported.

The board said future attacks are likely in large part because Log4j is routinely embedded with other software and can be hard for organizations to find running in their systems.

“This event is not over,” Silvers said.

Log4j, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.

A security researcher at the Chinese tech giant Alibaba notified the foundation on Nov. 24. It took two weeks to develop and release a fix. Chinese media reported that the government punished Alibaba for not reporting the flaw earlier to state officials.

The board said Thursday it found “troubling elements” with the Chinese government’s policy toward vulnerability disclosures, saying it could give Chinese state hackers an early look at computer flaws they could use for nefarious means like stealing trade secrets or spying on dissidents. The Chinese government has long denied wrongdoing in cyberspace and told the board that it encourages improved information sharing on software vulnerabilities.

The board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally. That includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programs.

The Cyber Safety Review Board is modeled after the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order Biden signed last May. The 15-member board is made up of FBI, National Security Agency and other government officials as well as people from the private sector. Some supporters of the new board criticized DHS for taking so long to get it up and running.

Biden’s executive order directed the board to conduct its first review on the massive Russian cyber espionage campaign known as SolarWinds. Russian hackers were able to breach several federal agencies, including accounts belonging to top cybersecurity officials at DHS, though the full fallout from that campaign is still unclear.

Silvers said DHS and the White House agreed that reviewing the Log4j flaw was a better use of the new board’s expertise and time.
Newsletter

Related Articles

0:00
0:00
Close
After 200,000 Orders in 2 Minutes: Xiaomi Accelerates Marketing in Europe
Ukraine Declares De Facto War on Hungary and Slovakia with Terror Drone Strikes on Their Gas Lifeline
Animated K-pop Musical ‘KPop Demon Hunters’ Becomes Netflix’s Most-Watched Original Animated Film
New York Appeals Court Voids Nearly $500 Million Civil Fraud Penalty Against Trump While Upholding Fraud Liability
Elon Musk tweeted, “Europe is dying”
Far-Right Activist Convicted of Incitement Changes Gender and Demands: "Send Me to a Women’s Prison" | The Storm in Germany
Hungary Criticizes Ukraine: "Violating Our Sovereignty"
Will this be the first country to return to negative interest rates?
Child-free hotels spark controversy
North Korea is where this 95-year-old wants to die. South Korea won’t let him go. Is this our ally or a human rights enemy?
Hong Kong Launches Regulatory Regime and Trials for HKD-Backed Stablecoins
China rehearses September 3 Victory Day parade as imagery points to ‘loyal wingman’ FH-97 family presence
Trump Called Viktor Orbán: "Why Are You Using the Veto"
Horror in the Skies: Plane Engine Exploded, Passengers Sent Farewell Messages
MSNBC Rebrands as MS NOW Amid Comcast’s Cable Spin-Off
AI in Policing: Draft One Helps Speed Up Reports but Raises Legal and Ethical Concerns
Shame in Norway: Crown Princess’s Son Accused of Four Rapes
Apple Begins Simultaneous iPhone 17 Production in India and China
A Robot to Give Birth: The Chinese Announcement That Shakes the World
Finnish MP Dies by Suicide in Parliament Building
Outrage in the Tennis World After Jannik Sinner’s Withdrawal Storm
William and Kate Are Moving House – and the New Neighbors Were Evicted
Class Action Lawsuit Against Volkswagen: Steering Wheel Switches Cause Accidents
Taylor Swift on the Way to the Super Bowl? All the Clues Stirring Up Fans
Dogfights in the Skies: Airbus on Track to Overtake Boeing and Claim Aviation Supremacy
Tim Cook Promises an AI Revolution at Apple: "One of the Most Significant Technologies of Our Generation"
Apple Expands Social Media Presence in China With RedNote Account Ahead of iPhone 17 Launch
Are AI Data Centres the Infrastructure of the Future or the Next Crisis?
Cambridge Dictionary Adds 'Skibidi,' 'Delulu,' and 'Tradwife' Amid Surge of Online Slang
Bill Barr Testifies No Evidence Implicated Trump in Epstein Case; DOJ Set to Release Records
Zelenskyy Returns to White House Flanked by European Allies as Trump Pressures Land-Swap Deal with Putin
The CEO Who Replaced 80% of Employees for the AI Revolution: "I Would Do It Again"
Emails Worth Billions: How Airlines Generate Huge Profits
Character.ai Bets on Future of AI Companionship
China Ramps Up Tax Crackdown on Overseas Investments
Japanese Office Furniture Maker Expands into Bomb Shelter Market
Intel Shares Surge on Possible U.S. Government Investment
Hurricane Erin Threatens U.S. East Coast with Dangerous Surf
EU Blocks Trade Statement Over Digital Rule Dispute
EU Sends Record Aid as Spain Battles Wildfires
JPMorgan Plans New Canary Wharf Tower
Zelenskyy and his allies say they will press Trump on security guarantees
Beijing is moving into gold and other assets, diversifying away from the dollar
Escalating Clashes in Serbia as Anti-Government Protests Spread Nationwide
The Drought in Britain and the Strange Request from the Government to Delete Old Emails
Category 5 Hurricane in the Caribbean: 'Catastrophic Storm' with Winds of 255 km/h
"No, Thanks": The Mathematical Genius Who Turned Down 1.5 Billion Dollars from Zuckerberg
The surprising hero, the ugly incident, and the criticism despite victory: "Liverpool’s defense exposed in full"
Digital Humans Move Beyond Sci-Fi: From Virtual DJs to AI Customer Agents
YouTube will start using AI to guess your age. If it’s wrong, you’ll have to prove it
×