EoL Systems Stonewalling Log4j Fixes for Fed Agencies

2022-01-07 22:16

Besides the difficulty of tracking down all instances of the ubiquitous Apache logging library, the job of patching the flaws has been further complicated for many agencies by end-of-life and end-of-support systems connected to the network.

Due to network-connected EoL and EoS systems: an issue that's further complicated by pandemic-wrought supply chain delays and remote-work issues.

Due to all these snafus, Keller has found that agencies are relying on running command-line scripts to find affected systems.

Between technology issues and travel restrictions/shipping delays involved in replacing these systems, Keller predicts that agencies are months away from being able to address Log4j.

You hope your system management capability can provide a level of details to make sure systems are accurately reporting back in.

We have seen over the past month that Application Security products do a better job of finding the systems affected, but most agencies don't deploy a robust AppSec practice, so #1, having the software on hand was one issue, and #2 having the ability to figure out all of the solutions being built that use Log4J was a bigger issue.

News URL

https://threatpost.com/eol-systems-stonewalling-log4j-fixes-for-fed-agencies/177475/

#FED #log4j