Security News > 2021 > December > CISA issues emergency directive to fix Log4j vulnerability

The US government's Cybersecurity and Infrastructure Security Agency on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021.

"Since Log4Shell is a critical flaw with a huge attack surface and is very simple to exploit, threat actors are actively using it to launch their attacks even with a patch already released, said Felipe Tarijon, a malware analyst at AppGate Security, in an email to The Register."Several state-sponsored groups are exploiting the flaw in the wild and making modifications to the Log4j exploit.

The emergency directive requires federal civilian agencies by the end of the business day on December 23rd to: 1) Identify all systems that accept data over the internet; to check those systems against the CISA-managed GitHub repository; apply the latest Log4j patch if appropriate or take vulnerable systems offline; submit a pull request identifying assets not referenced; and assume that vulnerable systems have been compromised, with the post-incident investigation and mitigation that entails.

"The first patch still has a vulnerability in non-default configurations allowing exfiltration of sensitive data," said Tarijon in an email to The Register.

"So, applying the latest patch by updating to 2.16 would be enough to fix the remote code execution problem.

"As a reference, the PrintSpooler vulnerabilities in July of this year led to an RCE bug, patched by Microsoft, but subsequent exploits and variants appeared later as soon as threat actors started to abuse the vulnerability in the wild," Tarijon explained.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/17/cisa_issues_emergency_directive_to/