The order from the US Cybersecurity and Infrastructure Security Agency (CISA) gives federal agencies until December 23 to document internet-facing installations of the software on their networks and report data back to CISA. It also tasks agencies with comparing the vast public list of software products that use the Log4J vulnerability with the software running on agency networks.
It’s one of the most urgent steps yet that the Biden administration has taken to address the flaw in so-called Log4J software, which US officials said this week could affect hundreds of millions of devices around the world.
CISA officials said this week that no federal agencies have been hacked using the vulnerability, but the emergency order is an effort to make sure of that by gathering much more data on federal agencies’ exposure to the issue.
Big tech firms from Amazon Web Services to IBM have raced to address the vulnerability in their products and published guidance on how to fix the flaw to their customers.
The order goes further than a previous CISA directive as it requires agencies to address instances of Log4J that are not just directly exposed to the internet but could be deeper in agency networks.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” CISA Director Jen Easterly said in a phone call with industry executives on Monday.
Overnight Wednesday, the US Patent and Trademark Office night shut down external access to its computer systems for 12 hours due to “serious and time-sensitive concern” around the vulnerability.
Microsoft warned this week that hackers linked with China, Iran, North Korea and Turkey are exploiting the vulnerable software.