CISA orders federal agencies to mitigate Log4J vulnerabilities in emergency directive

The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency directive on Friday requiring federal civilian departments and agencies to immediately patch their internet-facing network assets for the Apache Log4j vulnerabilities or implement other appropriate mitigation measures. 

CISA previously said federal civilian agencies would have until December 24 to address the issue but noted that the latest directive “is in response to the active exploitation by multiple threat actors of vulnerabilities found in the widely used Java-based logging package Log4j.”

more coverage

CISA Director Jen Easterly said they are urging organizations of all sizes to also assess their network security and adapt the mitigation measures outlined in the emergency directive. 

If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats, Easterly said. 

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” Easterly explained. ”CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”

According to CISA, the directive was handed down because these vulnerabilities are currently being exploited by threat actors and their investigations showed just how prevalent the affected software is in the federal enterprise. 

Read More: