The Cybersecurity and Infrastructure Security Agency order comes as a prominent firm says nation states are exploiting the vulnerabilities.
Federal agencies have until 5 p.m. on Dec. 23 to assess their software using a database the Cybersecurity and Infrastructure Security Agency created of assets affected by widespread vulnerabilities in an open-source resource that security professionals fear are being exploited by nation-state actors.
“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said Friday, issuing an emergency directive. “CISA also strongly urges every organization large and small to follow the federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive. If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”
CISA first flagged the vulnerabilities on Monday by adding them to a catalog it keeps on known flaws that are actively being exploited. The catalog includes dates for each of the vulnerabilities to be remediated—in the case of the log4j vulnerabilities CISA ordered patches be made by Christmas Eve—under a binding operational directive.
Since then, CISA created a page dedicated to guidance on remediating the vulnerabilities that exist in an open-source platform used to log event data from devices, hundreds of millions of which could be affected, and a GitHub repository of assets containing the vulnerabilities.
Soon after the vulnerabilities were discovered security professionals connected them to criminal activity such as crypto mining and ransomware efforts. But more recently the cybersecurity firm Mandiant, which disclosed the SolarWinds breach last year, said they found evidence the log4j flaws were being exploited by actors connected to China and Iran. That could keep agencies on guard way into the future.
“In some cases, state sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known,” reads a Dec.15 blog post from Mandiant. “In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so.”
CISA’s emergency directive also puts agencies under a Dec. 28 deadline to report on their activities connected to the vulnerabilities. For all affected software applications they identify using the repository, they must include” the vendor name, the name and version of the application, and what action was taken, whether that was an update, mitigation, or removal from the agency’s network.
CISA in turn committed to provide technical assistance to agencies who need it in order to comply with the directive and to report to the Secretary of Homeland Security and the director of the Office of Management and Budget by Feb. 15 on any outstanding issues.