CISA issues emergency directive to patch Log4j flaw

Jen Easterly at her nomination hearing to lead the Cybersecurity and Infrastructure Security Agency in June, 2021

Jen Easterly at her nomination hearing to lead the Cybersecurity and Infrastructure Security Agency in June, 2021 Kevin Dietsch / Getty Images

The Cybersecurity and Infrastructure Security Agency released an emergency directive on Friday ordering all federal agencies to take immediate action against a critical security flaw with potential long-term consequences for public and private infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) has released an emergency directive instructing all federal agencies to evaluate the entirety of their software assets for the presence of the Log4j security flaw and take immediate steps to mitigate the risk of exploitation.

The emergency directive said agencies must enumerate all solution stacks which accept data input from the web and evaluate software assets within those stacks against a CISA-managed GitHub repository to determine whether the security flaw is present, and if any assets have been affected, by 5:00 p.m. ET on December 23. 

Agencies are also required to "immediately patch any vulnerable internet-facing devices for which patches are available" or mitigate vulnerability exploitation risks using one of CISA's recommended mitigation measures. If agencies cannot implement either of those solutions, the directive instructs them to remove any affected software assets from their networks by that same deadline.

CISA Director Jen Easterly described the Log4j vulnerability, which can allow hackers to launch remote-code execution attacks when exploited and take control of Java-based web servers, as "the most serious vulnerability that I have seen in my decades-long career."

"Everyone should assume that they are exposed and vulnerable," Easterly told CNBC on Wednesday. "My view is that we are going to see widespread exploitation by all manner of threat actors, and likely impacts on both public and private infrastructure.”

She added: “We're doing everything we can with our partners to get ahead of that, but we're going to be dealing with this vulnerability for a very long time."

Agencies have until 5:00 p.m. EST on December 28 to confirm that their IP addresses on file with CISA are up to date and report all software applications affected by the Log4j vulnerability, including the vendor name, application name and version, as well as what actions were taken to address the threat.

Researchers have warned the recently identified vulnerability poses serious risks across the internet and for public and private entities since many popular online services and applications use the Log4j logging utility.