US to issue ’emergency directive’ ordering government agencies to fix critical software flaw

The order from the US Cybersecurity and Infrastructure Security Agency gives federal agencies until December 23 to document installations of the software on their networks and report the data to CISA. It also instructs agencies to compare the extensive public list of software products that use the Log4J vulnerability with software running on agency networks.

It’s one of the most urgent steps the Biden administration has taken to date to address the so-called Log4J software flaw, which U.S. officials this week said could affect hundreds of millions of devices around the world. the world.

CISA officials said this week that no federal agency had been hacked using the vulnerability, but the emergency order is an effort to make sure of that by gathering a lot more data about the vulnerability. exposure of federal agencies to the problem.

Big tech companies, from Amazon Web Services to IBM, rushed to fix the vulnerability in their products and released guidance on how to patch the flaw for their customers.

The order goes further than a previous CISA directive because it requires agencies to deal with instances of Log4J that are not only directly exposed to the internet, but could be deeper in agency networks.

“This vulnerability is one of the most severe I’ve seen in my entire career, if not the most severe,” CISA Director Jen Easterly said Monday in a phone call with IS leaders. industry.

Overnight Wednesday, the US Patent and Trademark Office shut down external access to its IT systems for 12 hours due to “serious and urgent concerns” about the vulnerability.

Microsoft warned this week that hackers linked to China, Iran, North Korea and Turkey are exploiting the vulnerable software.

The Pentagon is taking “swift action right now to identify and mitigate vulnerabilities in Log4J by monitoring malicious cyberactivity and directing mitigation against potential exploitation,” Press Secretary John Kirby said Friday.

The Pentagon, he added, continues “to work with the Cybersecurity and Infrastructure Security Agency, CISA, on a whole-of-government response.”

This story was updated with additional details on Friday.

CNN’s Michael Conte contributed to this report.

Ashley C. Reynolds