Three weeks after the Cybersecurity & Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to address their systems vulnerable to the Log4j flaw, CISA said so far that “all major agencies have done significant progress” in releasing fixes or mitigations. .
The Dec. 17 directive required federal agencies whose systems were affected to apply patches, implement mitigations, or remove affected software assets from their agency networks by Dec. 23. The directive also required agencies to report all affected software applications by Dec. 28 along with additional information about the vendor’s name, application name and version, and actions taken by agencies to fix or mitigate systems.
In a statement, a CISA spokesperson said, “Agencies responded with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even during the holiday season, or to mitigate the majority of affected applications. identified that support “solution stacks” that accept data input. from the Internet.
“CISA has received status reports from all major agencies, which have made significant progress in remediating or deploying other mitigation measures to address vulnerable asset risk, including already mitigating thousands of internet-connected assets, at the center of the recent emergency directive,” the CISA spokesperson said.
The flaw (CVE-2021-44228) in the widely used Apache logging library left government agencies – as well as various organizations in other verticals – scrambling to apply patches in December, especially when attempts to exploitation by nation-state actors have increased.
“You have a lot of legacy applications and systems that departments and agencies deal with that are out of contract, out of support, and out of time. And a Log4j event highlights that.”
The emergency directive put more pressure on federal agencies to fix the loophole by setting deadlines to fix or implement additional mitigations. CISA-recommended mitigations include deploying a Web Application Firewall (WAF) in front of the solution stack; disable the Log4j library, JNDI lookups, or remote codebases; apply micropatches; and isolation systems.
In a December report, researchers at Trend Micro said that of the 7% of their customers affected by the Log4j flaw, many were in the government vertical. Ed Cabrera, head of cybersecurity at Trend Micro, said when it comes to managing vulnerabilities, government agencies have a wide range of risks they face and the resources and funding they can access.
“It depends on their mission…which then depends on the infrastructure they have,” Cabrera said. “What also comes into play is the age of the agency. You have a lot of legacy applications and systems that departments and agencies deal with that are out of contract, unsupported, and running out of time. And a Log4j event highlights it.
Beyond CISA, other government organizations are pressuring organizations to patch the Log4j flaw, with the Federal Trade Commission (FTC) warning Monday that failure to identify and fix instances of the flaw can violate FTC law, which prohibits unfair and deceptive practices. affecting trade; and the Gramm-Leach-Bliley Act, which requires financial institutions to protect sensitive data.
“The FTC intends to use its full legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future. “, the FTC said in a statement.
CISA said it continues to work with each agency to “further advance the restoration of all at-risk assets.” CISA did not comment further on the number of agencies that have fully complied with the directive. However, the agency will provide a report by February 15 identifying inter-agency status.