The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to Federal agencies today, requiring them to assess their internet-facing network assets for the Apache Log4j vulnerabilities and immediately patch these systems or implement other appropriate mitigation measures.
The emergency directive is in response to the critical vulnerability that is affecting log4j versions 2.0-beta9 to 2.14.1 and allows unauthenticated remote code execution by adversaries. Log4j is a popular Java library widely used in software products as a logging framework. The Apache Software Foundation developed log4j and maintains it.
“The log4j vulnerabilities pose an unacceptable risk to Federal network security,” CISA Director Jen Easterly said in a statement. “CISA has issued this emergency directive to drive Federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”
“CISA also strongly urges every organization large and small to follow the Federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive. If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats,” Easterly added.
CISA said the emergency directive is based on the current exploitation of the log4j vulnerabilities by threat actors, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the Federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.
However, on Dec. 15, CISA said there has been no confirmed compromise of any Federal agencies as a result of the Log4j vulnerability. Nevertheless, CISA reiterated it has added the vulnerability to its catalog of known vulnerabilities over the weekend, giving agencies two weeks to remediate and mitigate any potential harm.
CISA said network defenders can find Log4j mitigation guidance and resources at its dedicated webpage, as well as a community-sourced GitHub repository of affected devices and services.