Federal agencies ordered to immediately patch systems against Apache vulnerability

Federal agencies on Friday were ordered to immediately investigate and patch systems to prevent exploitation of a massive vulnerability in Apache logging library log4j that has been increasingly used by nations and cybercriminals to target organizations around the world.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive giving agencies until Dec. 23 to identify which software is impacted by log4j and then either deploy patches against these vulnerabilities or remove the impacted software from the network. The agencies must report all impacted software and actions taken to CISA by Dec. 28. 

Following these actions, CISA will provide a report in February to the secretary of Homeland Security and to the Office of Management and Budget, and will keep working with partners to help remediate the vulnerability. 

ADVERTISEMENT

“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the directive reads. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.” 

The vulnerability, first uncovered a week ago, has sent cybersecurity professionals scrambling to address the issue, which has been particularly difficult given that log4j is a fundamental ingredient of much of the software used by major companies. 

Nation states have quickly moved to try to take advantage of the situation, with Microsoft and Mandiant reporting earlier this week that Chinese and Iranian hackers had been attempting to exploit the log4j vulnerability. 

Exploitation has reached massive levels worldwide, with a spokesperson for Check Point Software telling The Hill Friday that the company had seen 3.8 million attempts to use the vulnerability, more than 100 attempts per moment globally, and that around half of all corporate networks worldwide had been targeted. 

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement Friday. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”

ADVERTISEMENT

Such agencies are certainly at risk, with Anne Neuberger, the deputy national security advisor for Cyber and Emerging Technology, telling Bloomberg Television Thursday that some agencies had been impacted. 

Easterly stressed Friday that while the directive only applies to federal agencies, all companies should take similar measures to protect themselves. 

“CISA  also strongly urges every organization large and small to follow the federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive,” Easterly said. “If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”