NASCUS offers resources for dealing with Log4j vulnerability

(Dec. 23, 2021) The revelation of the “log4j” computer vulnerability made headlines this week, and NASCUS followed up by posting on its cybersecurity alerts and responses web pages guidance from federal agencies on how to protect against exploitations of the weakness.

Late last week, the federal CyberSecutiry & Infrastructure Security Agency (CISA) released a directive ordering federal civilian executive branch agencies to address vulnerabilities of log4j, a component widely used in Java scriptwriting for computer routines, including on websites and in applications. The component holds a “critical remote code execution” (RCE) vulnerability that computer and network security officials have found is being exploited by hackers. CISA described the hacks as “active, widespread exploitation.”

Friday’s directive, according to CISA, requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately.

By the beginning of this week, news about the vulnerability was reported widely in the press, with some headlines stating the vulnerability could be the “most serious in decades.”

Federal civilian agencies have until Friday to complete patching for log4j, according to press reports.

But that may not be enough, according to cybersecurity experts, as by then hackers may have already found their way into systems using the code.

In the meantime, users are advised to be on the lookout for phishing emails (and many of them) – and NOT to click on any links. For example, in response to an email claiming that an account has been compromised or a package failed to deliver, a user should ensure first that an account actually exists with that company and the user was expecting an email. Then, the user should find a real customer service number or address online and reach out in either (or both) of those methods.

Additionally, updating systems and apps with patches provided by software developers is the best defense, according to security networks.


NASCUS Cybersecurity Alerts & Resources: Apache Log4j Vulnerability Guidance