Skip to content

Agencies race to patch Log4j

Posted by:
2 min read

Published in the December 16, 2021 Morning Cybersecurity Newsletter

Politico writer Sam Sabin sat down with GuidePoint Security’s Matt Keller on the Log4j vulnerability that has forced agencies and organizations to patch their systems.

“For some things, patching might be an overnight-type thing, but for some other things, it might take some time to get that patch implemented and figure out where we’re going from there,” said Keller. He added that it could take two to four weeks for agencies to patch more complicated systems.

Keller noted several key issues that agencies are dealing with related to the Log4j vulnerability:

  1. Making a list of which systems could be vulnerable takes a lot of time — and agencies can’t start their vulnerability patch procedures without knowing what they need to patch, Keller said. Many agencies weren’t able to start running their normal network scans to detect the Log4j vulnerability until Wednesday, when private cybersecurity firms were able to add the code to the list of flaws their tools can automatically detect, Keller said.
  2. Not all app developers know if they used the vulnerable code in their software, and agencies also don’t have a “good repository of software” they use, Keller said. This makes it more challenging for agencies to figure out if the software they’ve purchased is impacted by the latest vulnerability.
  3. Holiday closures and schedules: Keller said that several government workers have already scheduled vacation time during the upcoming end-of-year holidays, adding a wrench to agencies’ emergency response plans. The White House is also aware of this issue: National Cyber Director Chris Inglis and Anne Neuberger, the deputy national security adviser for cyber, sent a memo to business leaders this morning with tips that agencies can also use for keeping their systems safe during the holiday season, although they didn’t directly mention the Log4j response.

Because of the nuances of vulnerability patching, Keller said he expects most agencies to file a waiver to be excused from the deadline ahead of next Friday, which would let them submit a plan of action for patching the vulnerabilities to CISA before the due date, instead of actually patching them. Yet the stakes remain high for agencies to patch this vulnerability as quickly as possible. Keller said that even if agencies can’t completely patch their systems before Christmas Eve, they can still focus on mitigation techniques like updating their application’s firewalls to fend off potential breaches in the meantime.

Categories: Application Security Cybersecurity News Vulnerability Management & Penetration Testing

GuidePoint Security

Security Advisory: Log4j Vulnerability
Original Post on December 13, 2021 (Updated on 12/20/2021) ***Note: The intent of this analysis is to aggregate the wide […]
View Page

Related Articles

View All

  • Threat Advisory
Security Advisory: Log4j Vulnerability
Posted by: GuidePoint Security
Read More 7 min read
  • Blog
Level 10 critical severity Log4J vulnerability announced; Nobelium evolution; and Emotet resurgence suggests impending ransomware attacks
Posted by: GuidePoint Security
Read More 2 min read
  • Vulnerability Management & Penetration Testing
What you need to know about the Log4j vulnerability
Read More < 1 min read