In a report released by the Cyber Safety Review Board, they state that they have spent tens of thousands of hours securing the Log4j vulnerability since it was discovered in December, and that it could be a cybersecurity issue for a decade or more.

The vulnerability is in widely used Java-logging library Apache, and can be used by hackers to take over a computers server if it’s not patched. The library is popular because it’s free, but that also means companies are left to create patches for it on their own. The review board, which was created earlier this year by the Department of Homeland Security, noted that one cabinet agency has already spent 33,000 hours responding to the weakness.

When Log4j became public knowledge, the US government warned organizations to be on high alert against attacks. Although attacks exploiting the vulnerability have occurred, they have not been as severe as it was initially worried to have been.

“At the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems,” the Cyber Safety Review Board said. “Somewhat surprisingly, the board also found that to date, generally speaking, exploiting of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.”

According to the report, “significant risk remains.” Because it is so widespread, the board states that this is an “endemic vulnerability” that could persist for years to come.

Story via CNET