CISA, FBI issue new guidance on addressing Log4j risks

The Cybersecurity and Infrastructure Security Agency has released a joint advisory with the FBI, NSA and several international agencies offering new ways to respond to the Log4j vulnerability for any public or private entity affected by the widespread security flaw.

Agencies have until 5:00 p.m. ET on Dec. 23 to patch, mitigate or remove any affected software assets from their networks under an emergency directive CISA released last week.

The latest guidance featured additional details about Log4Shell, a vulnerability which can allow hackers to launch remote-code execution attacks through Log4j, the open-source logging library used by various platforms that are accessed by millions of users daily. 

The joint cybersecurity advisory published on Wednesday provided potential victims with direct links to a vulnerability tester, and other additional resources to identify instances of possible exploitation. 

It also included detailed remediation and mitigation guidance for vendors and customers on how to upgrade impacted systems and threat hunt for the security flaw, which was reported in late November when a researcher working for Alibaba's cloud security team discovered the vulnerability and notified the Apache Software Foundation. 

CISA advised vendors to inform end users of products that contain any identified vulnerabilities and included a link to its GitHub page and repository, which included currently available patches for products impacted by Log4Shell. 

Discussing the major internet security flaw in her first on-camera interview since the vulnerability was reported, CISA Director Jen Easterly said "everyone should assume that they are exposed and vulnerable."

"My view is that we are going to see widespread exploitation by all manner of threat actors, and likely impacts on both public and private infrastructure," Easterly told CNBC. "We're doing everything we can with our partners to get ahead of that, but we're going to be dealing with this vulnerability for a very long time."

The FBI encouraged entities to review the new advisory in a tweet on Friday, urging those affected by the vulnerability to report incidents through an online portal. CISA has also required agencies to report all software applications affected by the Log4j vulnerability by 5:00 p.m. ET on Dec. 28, and include in that report what steps were taken to address the threat.