The US Cybersecurity and Infrastructure Security Agency has ordered all civilian federal agencies to patch the Log4j vulnerability and three others by December 24, adding it to the organization’s Known Exploited Vulnerabilities Catalog.
CISA created a landing page for all Log4j vulnerability content and is providing insight alongside the Joint Cyber Defense Collaborative that includes multiple cybersecurity companies.
CISA added the Log4j vulnerability alongside 12 others, with four having remediation due dates of December 24 and the rest having June 10, 2022 as the date. The ones slated for remediation by Christmas include the Zoho Corp. Desktop Central Authentication Bypass vulnerability, Fortinet FortiOS Arbitrary File Download vulnerability and Realtek Jungle SDK Remote Code Execution vulnerability.
CISA Director Jen Easterly said in a statement on Saturday that the log4j vulnerability “is being widely exploited by a growing set of threat actors” and “presents an urgent challenge to network defenders given its broad use.”
Bugcrowd CTO Casey Ellis commended the remediation deadlines but said it would be “nearly impossible for most organizations.”
“They need to find log4j before they can patch it, and many are still stuck on that step. If log4j is found, it’s likely that it is deeply embedded in existing applications and will required