A new Emergency Directive from the U.S. Department of Homeland Security (DHS) lights a fire under federal agencies to address their systems that are vulnerable to the Log4j flaw.
Under the directive, federal agencies have until Dec. 23 to evaluate their internet-facing systems and determine whether they are affected by the Log4j flaw. For the systems that are impacted, federal agencies must apply patches as soon as possible, implement mitigation measures or remove the affected software assets from their agency networks.
“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” according to the Cybersecurity & Infrastructure Security Agency (CISA) on Friday. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
The directive also requires agencies to report all impacted software applications by Dec. 28 with further information on the vendor name, application name and version, and the steps that agencies took to either patch or mitigate the systems.
“For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns."
The directive comes amid reports of exploitation attempts by nation-state actors of the critical flaw in the widely-used Apache logging library, including most recently by the Conti ransomware group. Due to this ongoing level of exploitation, CISA said that agencies with affected systems should act under the assumption that they have been compromised.
“For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns,” according to the advisory.
Previously, the flaw (CVE-2021-44228) had been added to CISA’s Known Exploited Vulnerabilities Catalog with agencies instructed to apply updates by Dec. 24. However, the Emergency Directive goes a step further by requiring agencies to implement additional mitigation measures for vulnerable products that do not yet have patches available, in addition to patching vulnerable internet-facing assets immediately.
CISA said that it will continue to work with partners to monitor for active exploitation of the flaw and plans to provide a report by Feb. 15 identifying cross-agency status. The mitigation measures that have been recommended by CISA include deploying a Web Application Firewall (WAF) in front of the solution stack; disabling the Log4j library, JNDI lookups or remote codebases; applying micropatches; and isolating systems.
Emergency Directives, which allow the DHS to mandate actions for federal agencies in response to known security vulnerabilities, have previously been leveraged for various significant threats over the past year, including one related to the SolarWinds attack, exploited Microsoft Exchange flaws and a zero-day flaw in the Pulse Connect Secure VPN appliance.