Security News > 2021 > December > US emergency directive orders govt agencies to patch Log4j bug
US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days.
The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency today.
"To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.
The new emergency directive further requires federal agencies to find all Internet-exposed devices vulnerable to Log4Shell exploits, patch them if a patch is available, mitigate the risk of exploitation, or remove vulnerable software from their networks until December 23.
CISA asks organizations to upgrade to Log4j version 2.16.0 or immediately apply appropriate vendor-recommended mitigations.
See CISA's upcoming GitHub repository for known affected products and patch information.