CISA Sets Dec. 24 Deadline to Address Log4Shell Vulnerability

The Cybersecurity and Infrastructure Security Agency has given federal agencies until Dec. 24 to apply fixes to the Apache Log4Shell system security flaw.

The deadline follows CISA’s addition of the vulnerability to its critical remote code execution flaw catalog on Monday. The issue was spotted on Dec. 9 in remote code compromises against the servers of the video game Minecraft. Since the vulnerability was discovered, cybersecurity firms have detected active scanning by bad actors to find vulnerable servers. Under binding operational directives issued by the Department of Homeland Security, agencies have 15 days to respond to critical risk vulnerabilities and 30 days for high-risk vulnerabilities, FedScoop reported Tuesday.

Matt Olney, director of threat intelligence and interdiction at Cisco’s Talos Intelligence Group, said the vulnerability is expected to impact federal agencies. He shared that the issue gives government organizations the chance to show how quickly they can identify and mitigate network threats.

Log4Shell is a zero-day vulnerability that exploits the Java-based Log4j logging tool. Log4j has the ability to perform network lookups and execute payload with full privileges.

When CISA announced Log4Shell as a critical risk, agency Director Jen Easterly said government agencies have a limited amount of time to reduce the likelihood of a serious compromise. She added that the Apache Log4j issue is the most serious she has seen in her career. Jay Gazlay from CISA’s vulnerability management office added that hundreds of millions of devices are likely to be affected.

Agencies from Canada and other countries in Oceania and Europe have also issued a warning for the Java-based security gap.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now