The Cybersecurity and Infrastructure Security Agency has fast-tracked Log4j vulnerability mitigation across the civilian federal government.
The move, announced by Jen Easterly in a statement late Saturday, adds the damaging bug to a recently established catalog of high-profile vulnerabilities that most agencies must prioritize for patching and mitigation within two weeks. Because the government and industry are often vulnerable to the same attacks, CISA stresses that the list and mitigation schedule they provide is often equally relevant to industry and other sectors.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” Easterly said.
Security researchers say the popular Java logging library is widely embedded in Apache servers and is used in millions of applications. Servers for Minecraft, iCloud, Steam and others have already been flagged as affected, but one of the most pressing challenges is that many organizations and vendors don’t know how many of their systems and software are reliant on the vulnerable code.
CISA and other agencies are currently working with industry to develop a Software Bill of Materials, or a framework for vendors to catalog where different parts of their codebase come from, something proponents say would make it easier to identify and defend against vulnerabilities like Log4j.
The agency is collaborating with stakeholders both in the federal space and across industry to identify software that uses the open-source component and flag products that may be affected, but stressed that it will require a collective effort by vendors and their customers.
“End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software,” Easterly said. “Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
Easterly also said the agency had established a senior leadership group at the Joint Cyber Defense Collaborative — a collaborative nerve center set up between federal agencies and the private sector — to coordinate further collective actions on the damaging bug. The agency is also coordinating a call Monday with critical infrastructure operators to offer technical expertise and answer questions.
In addition to patching known instances, CISA offered three additional tips to defenders: enumerate any external facing devices known to have Log4j installed, take action on every single alert related to the bug and use web application firewalls to automatically update to free up human resources within security operations centers for more high-level analysis.