Cybersecurity and Infrastructure Security Agency published Emergency Directive 22-02, named Mitigate Apache Log4j Vulnerability. CISA stated that the vulnerability poses an unacceptable risk to federal agencies and requires emergency action. CISA also already added the CVE-2021-44228 vulnerability to its catalog of known exploited vulnerabilities, as defined by BOD 22-01.
Required actions
CISA recommends the same actions against the entirety of agencies’ infrastructure. CISA will issue supplemental direction applicable to broader agency-owned information technologies and operational technologies as the situation evolves. The actions apply to agency applications in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
By 5 pm EST on December 23, 2021:
- Enumerate all solution stacks accepting data input from the internet.
- Evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository to determine whether Log4j is present in those assets and if so, whether those assets are affected by the vulnerability.
- If the software product is not listed in the repository, request addition by submitting a “pull” request using the link on the GitHub page.
- For all software assets that agencies identify as affected by CVE-2021-44228:
- Update assets for which patches have been provided. Remediation timelines prescribed in BOD 22-01 “may be adjusted in the case of grave risk to the Federal Enterprise.” Given the criticality of CVE-2021-44228, agencies must immediately patch any vulnerable internet-facing devices for which patches are available, under an emergency change window.
- OR
- Mitigate the risk of vulnerability exploitation using one of mitigating measures provided.
- OR
- Remove affected software assets from agency networks.
- For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).
By 5 pm EST on December 28, 2021:
- Report all affected software applications identified in (3) above using the provided template, including:
- Vendor name
- Application name and version
- Action taken (e.g. updated, mitigated, removed from agency network)
- Confirm that your agency’s Internet-accessible IP addresses on file with CISA are up to date via email.
Related Stories
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- Google joining the war against Log4j exploits
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited