The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems against the critical Log4Shell vulnerability and released mitigation guidance in response to active exploitation.
This follows threat actors’ head start in scanning for and exploiting Log4Shell vulnerable systems to deploy malware.
Even though Apache quickly released a patch to address the maximum severity remote code execution flaw (CVE-2021-44228) targeted by exploits publicly released on Friday, it only happened after attackers began deploying the exploits in the wild.
Since Apache Log4j is a ubiquitous dependency for enterprise applications and websites, it’s highly likely that its ongoing exploitation will eventually lead to widespread attacks and malware deployment.
Log4Shell mitigation guidance
CISA has now created a dedicated page with technical details about the Apache Log4j logging library flaw and patching information for vendors and impacted organizations.
“CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately,” the cybersecurity agency said.
The list of actions all organizations using products exposed to attacks by the Log4j library includes:
Besides patching all products using the vulnerable library, CISA also recommends taking three additional, immediate steps: enumerating internet-facing endpoints that use Log4j, ensuring that SOCs act on every alert on Internet-exposed devices, and installing a web application firewall (WAF) that automatically updates with the latest rules.
We’re working closely with our public and private sector partners to address a critical vulnerability affecting the Apache log4j #software library. This vulnerability is being widely exploited by threat actors and presents an urgent challenge to patch: https://t.co/utbcDZBtPv
— Cybersecurity and Infrastructure Security Agency (@CISAgov)
Federal agencies ordered to patch before Christmas
On December 10, the day Log4Shell exploits were published online, CISA has also added the CVE-2021-44228 Apache Log4j vulnerability to the Known Exploited Vulnerabilities Catalog.
This is a catalog of hundreds of exploited security vulnerabilities exposing government networks to significant risks if successfully exploited by threat actors.
In accordance with BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities) issued in November, all federal civilian executive branch agencies must now mitigate Log4Shell on internet-facing and non-internet-facing federal information systems by December 24, 2021.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” CISA Director Jen Easterly said in a statement issued over the weekend.
“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
This content was originally published here.