With the Dec. 24 deadline approaching for Federal agencies to remediate the Log4j vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed to MeriTalk that there have still been no compromises of Federal agencies via the Apache Log4J vulnerability.
While CISA did not confirm today whether every agency is on track to hit the remediation deadline or not, a spokesperson told MeriTalk that the agency is pleased with how urgently agencies are taking action to remediate the Log4j vulnerability.
“CISA is very pleased with the urgency with which agencies are addressing Log4j vulnerabilities,” an agency spokesperson said today. “Since we became aware of this vulnerability, CISA has hosted multiple calls attended by thousands of staff across the 101 civilian agencies, ranging from CIOs to CISOs to IT Ops and SOC personnel. Federal IT and cybersecurity leadership’s commitment to urgently addressing these vulnerabilities as a cohesive enterprise has been clear since the onset.”
After first warning of the vulnerability Dec. 11 and adding it to the agency’s vulnerability catalog covered under its Binding Operational Directive, CISA followed up with an emergency directive shortly after, ratcheting up the concern level for the vulnerability.
While CISA has still yet to see any compromise of Federal agencies utilizing the vulnerability, CISA Executive Director for Cybersecurity Eric Goldstein has said the widespread popularity of the Java library that contains the vulnerability has the agency concerned not only just for Federal agencies but also for the private sector and the public at-large.
CISA is also taking its warnings of the “critical” vulnerability worldwide and issued a joint advisory with the National Security Agency, FBI, and partners from Australia, New Zealand, Canada, and the United Kingdom Dec. 22 warning to remediate the vulnerability CISA first warned of earlier this month.
“Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” CISA Director Jen Easterly said in the joint advisory.
“CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations,” Easterly added. “These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.”