Apache Log4j Vulnerability Update – CISA Issues Emergency Directive

The US Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) issued an emergency directive this past Friday concerning the Log4j vulnerability.

According to CISA, the Log4j vulnerability poses an "unacceptable risk" to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise and the high potential for a compromise of agency information systems.

CISA’s directive, titled the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 22-02, “Mitigate Apache Log4j Vulnerability” requires federal civilian departments and agencies to immediately identify all software impacted by Log4j by close of business on December 23, 2021, and to either patch vulnerabilities or remove the impacted software from the networks. The directive also requires agencies to report the impacted software and actions taken to CISA by close of business on December 28^th.

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said following the emergency directive. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”

The emergency directive is available to view online at www.cisa.gov/emergency-directive-22-02 and an excerpt from the full description of the required actions are below for quick reference:

By 5 pm EST on December 23, 2021:

1. Enumerate all solution stacks accepting data input from the internet.
2. Evaluate all software assets in identified solution stacks against the CISA-managed GitHub repository (https://github.com/cisagov/log4j-affected-db) to determine whether Log4j is present in those assets and if so, whether those assets are affected by the vulnerability.
   1. If the software product is not listed in the repository, request addition by submitting a “pull” request using the link on the GitHub page.
3. For all software assets that agencies identify as affected by CVE-2021-44228:

1. Update assets for which patches have been provided. Remediation timelines prescribed in BOD 22-01 “may be adjusted in the case of grave risk to the Federal Enterprise.” Given the criticality of CVE-2021-44228, agencies must immediately patch any vulnerable internet-facing devices for which patches are available, under an emergency change window.
   OR
2. Mitigate the risk of vulnerability exploitation using one of mitigating measures provided at: link.
   OR
3. Remove affected software assets from agency networks.

4. For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).

 By 5 pm EST on December 28, 2021:

5. Report all affected software applications identified in (3) above using the provided template, including:
   1. Vendor name
   2. Application name and version
   3. Action taken (e.g. updated, mitigated, removed from agency network)
6. Confirm with [email protected] that your agency’s Internet-accessible IP addresses on file with CISA are up to date, as required by CISA Binding Operational Directive 19-02.

These required actions apply to agency applications in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information (i.e. all applications in agency ATO boundaries).

For federal information systems hosted in third-party environments (such as cloud), each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise), conducting all necessary reporting to CISA accounting for such systems and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.

This article is a continuation of our Apache Log4j Vulnerability series, available at https://www.schneiderdowns.com/our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected]. 

Apache Log4j CISA Resources

• CISA Apache Log4j Vulnerability Guidance
• CISA Log4j (CVE-2021-44228) Vulnerability Guidance Github Repository

Apache Log4j Web Resources

• Apache – Log4j Security Vulnerability Center
• GitHub – BlueTeam CheatSheet * Log4Shell*
• Github – Log4j RCE Exploitation Detection

Related Articles

• Apache Log4j Vulnerability Update
• Apache Log4j Vulnerability Update – Government Responses and Ransomware Activity
• Apache Log4j Vulnerability Update – Remediation Tools and Patches

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.