The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said today that all major federal agencies are successfully mitigating the critical Log4j vulnerability that the agency discovered in early December 2021.
The agencies were facing a December 24, 2021, deadline to address the vulnerability, and to date, CISA has yet to encounter any confirmed breaches from federal agencies via the vulnerability. The agency continues to work with agencies to address any risks.
“Agencies have responded with great urgency to successfully remediate assets running vulnerable Log4j libraries, even during the holiday season, or to mitigate the majority of identified affected applications that support ‘solution stacks’ that accept the ‘data entry from the Internet,’ a CISA spokesperson said. in a statement to MeriTalk today.
“CISA has received status reports from all major agencies, which have either remediated or deployed other mitigations to address the risk of thousands of internet-connected assets, at the center of the recent security directive. ’emergency,’ the agency added.
The vulnerability was first disclosed by CISA on December 11, when it was also added to the agency’s catalog of vulnerabilities created as part of CISA’s latest Binding Operational Directive. This started a two-week remediation clock for agencies.
CISA urged “swift action” on first disclosure, and while it saw no federal breaches, CISA’s Executive Director for Cybersecurity Eric Goldstein expressed concern over the vulnerability due to the widespread nature of the Java library in which the vulnerability was contained.
CISA increased the warning factor on December 17, upgrading the alert and issuing an emergency directive to federal agencies to immediately patch all systems running the library containing the vulnerability and implement any other mitigation measure required.
“CISA continues to work with each agency to further advance the restoration of all at-risk assets,” the spokesperson said.