The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said today that all large Federal agencies are successfully mitigating the Log4j critical vulnerability that the agency discovered in early December 2021.
Agencies faced a Dec. 24. 2021 deadline to remediate the vulnerability and, to date, CISA has yet to encounter any confirmed breaches of Federal agencies via the vulnerability. The agency continues to work with agencies to remediate any risks.
“Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet,” a CISA spokesperson said in a statement to MeriTalk today.
“CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive,” the agency added.
The vulnerability was first disclosed by CISA on Dec. 11, when it was also added to the agency’s vulnerability catalog created as part of CISA’s latest Binding Operational Directive. That started a two-week remediation clock for agencies.
CISA urged “quick action” at first disclosure, and, despite not seeing any Federal breaches, CISA Executive Director for Cybersecurity Eric Goldstein expressed alarm at the vulnerability due to the widespread nature of the Java library the vulnerability was contained in.
CISA upped the warning factor Dec. 17, upgrading the alert and issuing an emergency directive to Federal agencies to immediately patch any systems running the library containing the vulnerability and implement any other mitigation measures necessary.
“CISA continues to work with each agency to drive further progress toward remediating all assets at risk,” the spokesperson said.