Agencies Must Fix Newly Cataloged Vulnerabilities by Christmas Eve

The Cybersecurity and Infrastructure Security Agency has added a severe flaw found in a commonly used software library to its list of known vulnerabilities being actively exploited with remediation due before Christmas.

The vulnerability affects log4j, a logging service offered by Apache that is used in commercial and custom-built software applications. It allows an attacker to execute code on an affected device remotely and researchers fear unauthorized crypto mining and botnet expansions are just the beginning of how it might be used by malicious actors.    

CISA added the vulnerability, along with twelve others, Friday to its catalogue of known vulnerabilities. The log4j vulnerability, which rates a 10 out of 10 on the severity scale, must be remediated by Dec. 24 according to the binding operational directive under which CISA created and first issued the catalog.  

“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity,” CISA Director Jen Easterly said in a press release Saturday highlighting the log4j vulnerability. “We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies -- and signals to non-federal partners -- to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability.”  

Easterly noted that end users will to some extent remain at the mercy of their vendors and emphasized the agency’s efforts to work with the private sector through a Joint Cyber Defense Collaborative, which includes the participation of cloud and other internet and cybersecurity service providers.  

“End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.  Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates,” Easterly said. “The Joint Cyber Defense Collaborative is designed to manage this kind of risk. We have established a JCDC senior leadership group to coordinate collective action and ensure shared visibility into both the prevalence of this vulnerability and threat activity.”

Both Easterly and National Security Agency Cybersecurity Director Rob Joyce used the situation to underscore the importance of maintaining a software bill of materials for products, whether they are purchased or built in-house.

“The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” Joyce tweeted Friday. “This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.”