Three weeks after the Cybersecurity & Infrastructure Security Agency (CISA) issued an Emergency Directive ordering federal agencies to address their systems that are vulnerable to the Log4j flaw, CISA said so far “all large agencies have made significant progress” in issuing either patches or mitigations.
The Dec. 17 directive mandated that federal agencies with impacted systems apply patches, implement mitigation measures or remove the affected software assets from their agency networks by Dec. 23. The directive also required agencies to report all impacted software applications by Dec. 28 with further information on the vendor name, application name and version, and the steps that agencies took to either patch or mitigate the systems.
In a statement, a CISA spokesperson said that “agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet.”
“CISA has received status reports from all large agencies, which have made significant progress in either patching or deploying alternate mitigations to address the risk from vulnerable assets, including by already mitigating thousands of internet-connected assets, the focus of the recent Emergency Directive,” said the CISA spokesperson.
The flaw (CVE-2021-44228) in the widely used Apache logging library left government agencies - as well as various organizations across other verticals - scrambling to apply patches during December, particularly as exploitation attempts by nation-state actors spiked.
"You have a lot of legacy applications and systems that departments and agencies are dealing with that are out of contract, out of support, and out of time. And a Log4j event highlights that.”
The Emergency Directive put more pressure on federal agencies to address the flaw by giving set deadlines for patching or implementing additional mitigation measures. The mitigation measures that have been recommended by CISA include deploying a Web Application Firewall (WAF) in front of the solution stack; disabling the Log4j library, JNDI lookups or remote codebases; applying micropatches; and isolating systems.
In a December report, researchers with Trend Micro stated that, out of the 7 percent of their customers impacted by the Log4j flaw, many were within the government vertical. Ed Cabrera, chief cybersecurity officer at Trend Micro, said that when it comes to vulnerability management, there is a wide range for government agencies in the risks that they face and the resources and funding they have access to.
“It depends on what their mission is… which then speaks to the infrastructure they have,” said Cabrera. “Also what comes into play is how old the agency is. You have a lot of legacy applications and systems that departments and agencies are dealing with that are out of contract, out of support, and out of time. And a Log4j event highlights that.”
Beyond CISA, other government organization are putting pressure on organizations to remediate the Log4j flaw, with the Federal Trade Commission (FTC) on Monday warning that failure to identify and patch instances of the flaw may violate the FTC Act, which bars unfair and deceptive practices affecting commerce; and the Gramm-Leach-Bliley Act, which requires financial institutions to safeguard sensitive data.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the FTC said in a statement.
CISA said it continues to work with each agency to “drive further progress toward remediating all assets at risk.” CISA did not have any further comment on how many agencies have fully complied with the directive. However, the agency will provide a report by Feb. 15 identifying cross-agency status.