What’s Next on the Log4j Vulnerability?
Although CISA has said that all large agencies have mitigated the threat and that no exploits have occurred in the federal government as a result of the vulnerability, CISA Director Jen Easterly has also said the government is not out of the woods yet, and that attacks could still occur.
“The weaknesses in Log4j is just one example of how widespread software vulnerabilities, including those found in open source code, can present a serious threat to our national and economic security. In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable,” Sen. Gary Peters said at the hearing, CyberScoop reports.
CISA said in early January that large agencies had successfully taken steps to mitigate the Log4j vulnerability.
“Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet,” a CISA spokesperson tells MeriTalk.
“CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive,” the agency adds.
Despite that, agencies cannot let their guard down, as there may be a period of time between the discovery of the vulnerability and when attackers may seek to exploit it. “We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters, according to CyberScoop. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.”