The Cybersecurity and Infrastructure Security Agency (CISA) said Dec. 14 that there has been no confirmed compromise of any Federal agencies as a result of the Log4j vulnerability. But CISA reiterated it has added the vulnerability to its catalog of known vulnerabilities over the weekend, giving agencies two weeks to remediate and mitigate any potential harm.
During a press briefing on Tuesday evening, CISA Executive Director for Cybersecurity Eric Goldstein emphasized that while there has been no Federal compromise yet, the widespread popularity of the Java library in which the vulnerability is contained has CISA concerned.
“This is an extremely concerning vulnerability, really for three reasons,” Goldstein told reporters. “The first is that the Log4j library is widely used in a variety of devices and products, both consumer and enterprise across sectors and across functions. Second, this particular vulnerability is extremely easy to exploit and new ways to exploit it are being reported continuously over the last several days. And third, exploiting this vulnerability gives an adversary potentially access into a target network, possibly allowing them to exfiltrate information or cause other harmful attacks.”
Currently, Goldstein said, attacks that CISA is seeing reported top out at low-level threats, like crypto miners, but noted that adversaries “of all sorts” could potentially exploit the vulnerability. CISA has created both a dedicated webpage and a github site cataloging up-to-date information on how to remediate vulnerabilities found in the library.
Per CISA’s Binding Operational Directive, agencies have up to two weeks to remediate against the vulnerability, but Goldstein said that “given the importance of the vulnerability, we are working with agencies to patch as quickly as possible.”
Different than SolarWinds
Despite the high level of concern with Log4j, Goldstein made a point to draw differences between that vulnerability and the SolarWinds Orion supply chain software attack that came to light in December 2020.
The biggest difference is the nature of the threat, he said. While SolarWinds was a targeted, supply chain attack by advanced threat actors, thus far Log4j is simply a widespread, “easy-to-exploit” public vulnerability.
“This is not a case at this point of a specific, advanced persistent threat attack,” Goldstein emphasized. “This is a public vulnerability in a software library that is currently being exploited by a variety of threat actors; at this point, largely actors like crypto miners, although the potential exists for future use by advanced persistent threat for other advanced actors.”
As of now, CISA is still investigating to find the first known exploit of this vulnerability, Goldstein said.
Some of those in the industry share Goldstein’s fear about the potential widespread exploitation of this vulnerability.
Count Christopher Day, vice president for Strategic Capabilities and Programs at Tenable, among those concerned. Day called the Log4j vulnerability “one of the most serious vulnerabilities ever” in a statement to MeriTalk.
“The threat to every organization in the public and private sector is massive, and a full range of assets, including IT, IoT (Internet of Things), OT (Operational Technology), and cloud are potentially at risk,” Day said. “Organizations need to identify where they are exposed, patch vulnerable systems, and implement effective identity and access management technologies and processes to limit lateral movement by attackers.”
While Day expressed extreme concern, he also said he feels encouraged by the current level of engagement between CISA and the private sector and pointed to that sort of engagement and collaboration as a way to mitigate future threats.
“While the Log4Shell vulnerability represents a significant risk to internet security, the engagement between CISA and the private sector in recent days highlights the incredible value of public-private partnerships to assess risk across the environment and to act together to mitigate damage,” Day continued. “Bringing together government leaders with industry experts to mitigate cyberthreats is the best of both worlds.”
Goldstein said that CISA will continue to aggregate information from the cyber community and Joint Cyber Defense Collaborative on its webpages and work with agencies and the private sector to mitigate the vulnerability as quickly as possible.