The Cybersecurity and Infrastructure Security Agency issued an emergency directive today requiring civilian executive branch agencies to determine all Internet-facing assets with the critical “Log4j” vulnerability and either patch or mitigate any vulnerable software within a week.
By Dec. 23 at 5 p.m., agencies are directed to “enumerate all solutions stacks accepting data from the internet” and then check whether any of them have the Log4j vulnerability using a CISA-managed Github repository available on the agency’s website, according to the new directive.
By the same deadline, agencies are given three options for how to address any vulnerable software: “immediately” update assets where patches are available; mitigate the risk of exploitation using another mitigation measure listed on CISA’s website; or remove the affected asset from their networks.
“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the directive states. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
It also directs agencies to “assume compromise” for any software affected by the vulnerability. Agencies should “identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns,” the directive states.
The directive also tells agencies to report all affected software applications to CISA by Dec. 28.
For its part, CISA says it will “continue to work with our partners to monitor for active exploitation associated with these vulnerabilities and will notify agencies and provide additional guidance, as appropriate.”
The agency is also providing technical assistance for agencies “without internal capabilities sufficient to comply with this directive.”
By Feb. 15, CISA plans to send a report to Homeland Security Secretary Alejandro Mayorkas and the White House Office of Management and Budget “identifying cross-agency status and outstanding issues.”
The Log4j vulnerability emerged last week. CISA initially set a Christmas Eve deadline for agencies to address the vulnerability, but that binding operational directive update had little detail on required agency actions compared to the emergency directive issued today.
During a Tuesday evening call with reporters, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said no agencies were known to have been compromised at that time.
“But of course, we are on extraordinarily heightened vigilance to detect and mitigate any such events, if they do arise,” he added. “If one looks at the catalog of known impacted products that CISA has put online, these are products that are used by every major organization around the world.”