CISA
Critical infrastructure
News

CISA releases emergency directive to mitigate threats caused by Log4j vulnerabilities

December 17, 2021
emergency directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued on Friday an emergency directive to the federal civilian executive branch agencies to mitigate the threats caused by the Apache Log4j series of vulnerabilities. The emergency directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions under this directive, or the directive is terminated through other appropriate action. 

CISA has asked the federal civilian executive branch agencies to by 5 pm EST on Dec. 23 enumerate all solution stacks accepting data input from the internet, and evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository to determine whether Log4j is present in those assets and if so, whether those assets are affected by the vulnerability.

The emergency directive comes after the security agency assessed “unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.” The decision is based on the current exploitation of the Log4j vulnerability by hackers in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.

The exploitation of one of these vulnerabilities allows an unauthenticated attacker to remotely execute code on a server, CISA said. Successful exploitation can occur even if the software accepting data input is not written in Java; such software is able to pass malicious strings to other (back end) systems that are written in Java, it added.   

For all software assets that agencies identify as affected by open-source Java logging library, CISA has asked the federal civilian executive branch agencies under the emergency directive to update assets for which patches have been provided. “Remediation timelines prescribed in BOD 22-01 ‘may be adjusted in the case of grave risk to the Federal Enterprise.’ Given the criticality of CVE-2021-44228, agencies must immediately patch any vulnerable internet-facing devices for which patches are available, under an emergency change window,” it added.

Where patching is not possible, CISA has directed the federal civilian executive branch agencies to deploy a properly configured web application firewall (WAF) in front of the solution stack, disable Log4j library, disable JNDI (Java Naming and Directory Interface) lookups or disable remote codebases, apply micro-patching, and isolate the system. These measures are to be considered as a temporary solution. The agency also provided federal agencies with the option to remove affected software assets from agency networks.

The CISA emergency directive for the Log4j vulnerability also called “for all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).”

CISA has also set 5 pm EST on Dec. 28 as a deadline for federal civilian executive branch agencies to report all affected software applications identified using the provided template, including vendor name, application name and version, and action taken, such as whether updated, mitigated or removed from agency network. 

Finally, these agencies must confirm via email with the security agency at: [email protected] that the Internet-accessible IP addresses of these enterprises on file with CISA are up to date, as required by CISA Binding Operational Directive 19-02.

CISA also said that it will provide technical assistance to agencies who are without internal capabilities sufficient to comply with the emergency directive. “By February 15, 2022, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base