The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said today that it is continuing to help Federal agencies remediate the Log4j vulnerability that CISA first warned about in December.
An agency spokesperson issued a clarifying statement to MeriTalk making it clear that some large agencies were still in the process of completely remediating the vulnerability, and prioritizing assets that accept data from the internet, which was the focus of CISA’s recent Emergency Directive. A statement from CISA earlier this week had indicated that agencies had remediated thousands of these assets within days of the Directive’s issuance.
“CISA has received status reports from all large agencies, which have made significant progress in either patching or deploying alternate mitigations to address the risk from vulnerable assets, including by already mitigating thousands of internet-connected assets, the focus of the recent Emergency Directive,” a spokesperson said.
“CISA continues to work with each agency to drive further progress toward remediating all assets at risk,” the spokesperson said.
The widespread use of the Java library containing the vulnerability worries the agency, and CISA upped the urgency factor December 17 by issuing an emergency directive to agencies focused on internet-connected assets and requiring specific mitigation measures for products that do not yet have available patches, after initially urging quick action on Dec. 11.
Once the vulnerability was added to CISA’s vulnerability catalog, as part of its most recent Binding Operational Directive, agencies had two weeks to remediate the vulnerability. The agency’s statement today clarifies some agencies are still focused on addressing vulnerable assets, particularly those for which patches are not yet available.