Quick Hits

CISA Issues Emergency Directive on Log4j

The Cybersecurity Infrastructure and Security Agency orders federal agencies to take actions to mitigate vulnerabilities to the Apache Log4j flaw and attacks exploiting it.

The US Department of Homeland Security's Cybersecurity Infrastructure and Security Agency (CISA) today ordered civilian federal agencies to take immediate steps to identify, patch, and mitigate Log4j vulnerabilities in their networks.

"CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems," the emergency directive states.

Federal agencies — not including the Defense Department or intelligence agencies — have until 5 p.m. on Dec. 23 to identify, patch, or apply mitigation measures on all Internet-facing systems vulnerable to Log4j or, if necessary, remove the affected software altogether. CISA said to "assume compromise" of systems that are affected, and agencies must monitor and investigate those systems for signs of attack.

Agencies are required to report all affected applications and actions taken to CISA by 5 p.m. EST on Dec. 28. 

Read the full emergency directive here.

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading