Security News > 2021 > December > US orders federal govt agencies to patch critical Log4j bug
US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days.
"To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.
The new emergency directive further requires federal agencies to find all Internet-exposed devices vulnerable to Log4Shell exploits, patch them if a patch is available, mitigate the risk of exploitation, or remove vulnerable software from their networks until December 23.
The federal agencies were also given five more days, until December 28 to report all affected Java products on their networks, including application and vendor names, the app's version, and the action taken to block exploitation attempts.
CISA asks organizations to upgrade to Log4j version 2.16.0 or immediately apply appropriate vendor-recommended mitigations.
See CISA's upcoming GitHub repository for known affected products and patch information.
News URL
Related news
- Patch now: Critical Nvidia bug allows container escape, complete host takeover (source)
- Progress urges admins to patch critical WhatsUp Gold bugs ASAP (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)