Security News > 2021 > December > US orders federal govt agencies to patch critical Log4j bug
US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days.
"To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.
The new emergency directive further requires federal agencies to find all Internet-exposed devices vulnerable to Log4Shell exploits, patch them if a patch is available, mitigate the risk of exploitation, or remove vulnerable software from their networks until December 23.
The federal agencies were also given five more days, until December 28 to report all affected Java products on their networks, including application and vendor names, the app's version, and the action taken to block exploitation attempts.
CISA asks organizations to upgrade to Log4j version 2.16.0 or immediately apply appropriate vendor-recommended mitigations.
See CISA's upcoming GitHub repository for known affected products and patch information.
News URL
Related news
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)