DHS issues emergency directive ordering all federal civilian agencies to address Log4j flaw

Written by
Dec 17, 2021 | CYBERSCOOP

U.S. cyber officials issued an emergency directive Friday giving all federal civilian agencies until Dec. 23 to assess their internet-facing networks for the Apache Log4j vulnerability and immediately patch the systems, or take other measures to mitigate the software flaw.

The directive, issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, comes in response to “the active exploitation by multiple threat actors” of the Log4j bug, which has roiled the information security community since it emerged Dec. 10 as a vulnerability in widely used logging software. The directive also requires agencies to report to CISA by Dec. 28 all software applications affected by the bug by name and version, and what actions were taken.

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement. “If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”

The directive is based on current exploitation of the Log4j vulnerabilities, the likelihood of exploitation, the prevalence of affected software among federal agencies, and the potential impact of a successful compromise, Easterly’s

Read More: https://www.cyberscoop.com/log4j-emergency-directive-cisa-conti/