The US Cybersecurity and Infrastructure Security Agency have ordered all civilian federal agencies to patch the Log4j vulnerability and three others by December 24, adding it to the organization's Known Exploited Vulnerabilities Catalog.
CISA created a landing page for all Log4j vulnerability content and is providing insight alongside the Joint Cyber Defense Collaborative that includes multiple cybersecurity companies.
CISA added the Log4j vulnerability alongside 12 others, with four having remediation due dates of December 24 and the rest having June 10, 2022, as the date. The ones slated for remediation by Christmas include the Zoho Corp. Desktop Central Authentication Bypass vulnerability, Fortinet FortiOS Arbitrary File Download vulnerability and Realtek Jungle SDK Remote Code Execution vulnerability.
CISA Director Jen Easterly said in a statement on Saturday that the log4j vulnerability "is being widely exploited by a growing set of threat actors" and "presents an urgent challenge to network defenders given its broad use."
Bugcrowd CTO Casey Ellis commended the remediation deadlines but said it would be "nearly impossible for most organizations."
"They need to find log4j before they can patch it, and many are still stuck on that step. If log4j is found, it's likely that it is deeply embedded in existing applications and will required regression testing to ensure that a patch doesn't break anything else," Ellis said. "In short, the time pressure is a good thing for activating those who aren't taking this seriously, but this will be a difficult timeframe for many to meet."
CISA created the list last month as a way to provide government organizations with a catalog of vulnerabilities organized by severity. Each is given a remediation due date and other guidelines for management.
There is increasing worry that industrial networks -- many of which are considered critical infrastructure by US officials -- are among those which are most vulnerable to the recently disclosed zero-day.
Dennis Hackney, head of industrial cybersecurity services development at ABS Group, said the Log4j API primarily affects the debugging and logging capabilities within very common historian and logging applications in the OT environment.
What a lot of companies don't realize, Hackney said, is that supervisory control and data acquisition (SCADA) and HMI applications typically include open-source technologies like Java and Apache as found in the Log4j 2.0 vulnerability, to provide the most cost-effective and operational functionality as possible. Hackney added that the potential OEMs that may be issuing security alerts shortly with approved fixes includes Siemens T3000, GE CIMPLICY Historian, GE LogManager, OSISoft Pi Logger, Inductive, Mango Automation, Mango Automation and others.
"The Log4j API is used in very common SCADA systems and historians in the industry. Think GE Cimplicity, OSI Pi, Emerson Progea, and SIMATIC WinCC. We actually witnessed one example where the engineer was unable to start the runtime environment for his IO servers. These are the servers that control the object linking and embedding for process control (OPC) communications between the HMIs (SCADA) and the controllers, or other SCADA and between controllers," Hackney said.