Apache Log4j Vulnerability Update – CISA Issues Emergency Directive

The US Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) issued an emergency directive this past Friday concerning the Log4j vulnerability.

According to CISA, the Log4j vulnerability poses an "unacceptable risk" to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise and the high potential for a compromise of agency information systems.

CISA’s directive, titled the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 22-02, “Mitigate Apache Log4j Vulnerability requires federal civilian departments and agencies to immediately identify all software impacted by Log4j by close of business on December 23, 2021, and to either patch vulnerabilities or remove the impacted software from the networks. The directive also requires agencies to report the impacted software and actions taken to CISA by close of business on December 28th.

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said following the emergency directive. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”

The emergency directive is available to view online at www.cisa.gov/emergency-directive-22-02 and an excerpt from the full description of the required actions are below for quick reference:

By 5 pm EST on December 23, 2021:

  1. Enumerate all solution stacks accepting data input from the internet.
  2. Evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository (https://github.com/cisagov/log4j-affected-db) to determine whether Log4j is present in those assets and if so, whether those assets are affected by the vulnerability.
    1. If the software product is not listed in the repository, request addition by submitting a “pull” request using the link on the GitHub page.
  3. For all software assets that agencies identify as affected by CVE-2021-44228:
  1. Update assets for which patches have been provided. Remediation timelines prescribed in BOD 22-01 “may be adjusted in the case of grave risk to the Federal Enterprise.” Given the criticality of CVE-2021-44228, agencies must immediately patch any vulnerable internet-facing devices for which patches are available, under an emergency change window.
  2. Mitigate the risk of vulnerability exploitation using one of mitigating measures provided at: link.
  3. Remove affected software assets from agency networks.
  1. For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).

 By 5 pm EST on December 28, 2021:

  1. Report all affected software applications identified in (3) above using the provided template, including:
    1. Vendor name
    2. Application name and version
    3. Action taken (e.g. updated, mitigated, removed from agency network)
  2. Confirm with [email protected] that your agency’s Internet-accessible IP addresses on file with CISA are up to date, as required by CISA Binding Operational Directive 19-02.

These required actions apply to agency applications in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information (i.e. all applications in agency ATO boundaries).

For federal information systems hosted in third-party environments (such as cloud), each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise), conducting all necessary reporting to CISA accounting for such systems and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.

This article is a continuation of our Apache Log4j Vulnerability series, available at https://www.schneiderdowns.com/our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected]

Apache Log4j CISA Resources

Apache Log4j Web Resources

Related Articles

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Norton Believes Credential Stuffing Attack Led to LifeLock Breach
Why Cybersecurity Programs are Facing Increased Scrutiny from Private Equity Firms
Postcard from the PIOGA and Washington County Chamber of Commerce
Start The New Year Off Secure: 5 Cybersecurity Resolutions for 2023
TikTok: Spreading Holiday Cheer and Personal Information
Cybersecurity BY David Murphy
Key Benefits of Server Message Block Signing
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.