The Cybersecurity and Infrastructure Security Agency has released an emergency directive asking federal civilian agencies to mitigate Apache Log4j vulnerabilities in their internet-facing networks.
CISA said Friday multiple threat actors are exploiting a series of vulnerabilities in the Java-based logging library Log4j, allowing hackers to remotely execute code on a server.
The agency issued the emergency directive based on several reasons, including the exploitation of such vulnerabilities in external network environments, prevalence of affected software in federal networks and the potential impact of a successful breach.
“The log4j vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly.
“CISA also strongly urges every organization large and small to follow the federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive. If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats,” added Easterly.
The directive requires agencies to enumerate all solution stacks accepting data input from the internet and assess all software assets in identified solution stacks against the CISA-managed GitHub repository, among other actions, by Dec. 23.
By Dec. 28, agencies should report all affected software applications and related assets and confirm with CISA that their internet-accessible IP addresses are updated.
CISA has established a webpage to provide network defenders information on Log4j mitigation measures and other resources. The platform also includes a GitHub repository of affected services and devices.