Security News > 2021 > December > CISA orders federal agencies to patch Log4Shell by December 24th
The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch systems against the critical Log4Shell vulnerability and released mitigation guidance in response to active exploitation.
CISA has now created a dedicated page with technical details about the Apache Log4j logging library flaw and patching information for vendors and impacted organizations.
Reporting compromises immediately to CISA and the FBI. Besides patching all products using the vulnerable library, CISA also recommends taking three additional, immediate steps: enumerating internet-facing endpoints that use Log4j, ensuring that SOCs act on every alert on Internet-exposed devices, and installing a web application firewall that automatically updates with the latest rules.
On December 10, the day Log4Shell exploits were published online, CISA has also added the CVE-2021-44228 Apache Log4j vulnerability to the Known Exploited Vulnerabilities Catalog.
In accordance with BOD 22-01 issued in November, all federal civilian executive branch agencies must now mitigate Log4Shell on internet-facing and non-internet-facing federal information systems by December 24, 2021.
"CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use," CISA Director Jen Easterly said in a statement issued over the weekend.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |