Federal agencies on Friday were ordered by the Department of Homeland Security to investigate and patch systems against the Apache logging library Log4j vulnerability that has been flagged by cybersecurity experts in recent days.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency order calling on agencies to immediately patch their network assets that connect to the Internet or implement other mitigation measures. Federal civilian agencies would have until Dec. 24 to implement the changes, noting the directive “is in response to the active exploitation by multiple threat actors of vulnerabilities found in the widely used Java-based logging package Log4j.”
The agency will provide a report in February to the Department of Homeland Security, which oversees CISA, and to the Office of Management and Budget.
“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” CISA’s directive said. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
CISA further said there is a “high potential” for a compromise of federal government information systems.
“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement released Friday. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”
Some nation-states and cybercriminals are currently trying to exploit the Apache vulnerability, security researchers said. Among them, Chinese Communist Party and Iranian hackers are trying to target unprotected systems, according to Microsoft and Mandiant earlier this week.
The vulnerability, known as CVE-2021-44228, was discovered on Dec. 9, and it allows remote access to servers and allows for code execution, experts have said. It means a hacker or malign actor can send a malicious code string that will get logged by the Log4j version, which then allows the attacker to load an arbitrary Java code to a server, thereby enabling them to take control of a server.
“Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come,” according to a recent blog post by cybersecurity researchers at Dragos.
Last week, Cloudflare CEO Matthew Prince wrote that his company has “made the determination that Log4J is so bad we’re going to try and roll out at least some protection for all Cloudflare customers by default, even free customers who do not have our [enterprise suite] … working on how to do that safely now.”
