The Cybersecurity Infrastructure and Security Agency orders federal agencies to take actions to mitigate vulnerabilities to the Apache Log4j flaw and attacks exploiting it.
The US Department of Homeland Security's Cybersecurity Infrastructure and Security Agency (CISA) today ordered civilian federal agencies to take immediate steps to identify, patch, and mitigate Log4j vulnerabilities in their networks.
"CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems," the emergency directive states.
Federal agencies — not including the Defense Department or intelligence agencies — have until 5 p.m. on Dec. 23 to identify, patch, or apply mitigation measures on all Internet-facing systems vulnerable to Log4j or, if necessary, remove the affected software altogether. CISA said to "assume compromise" of systems that are affected, and agencies must monitor and investigate those systems for signs of attack.
Agencies are required to report all affected applications and actions taken to CISA by 5 p.m. EST on Dec. 28.
Read the full emergency directive here.
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024