Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability in a widely-used logging library “is one of the most serious I’ve seen in my entire career, if not the most serious.”
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said of the Apache Log4j flaw. The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.
Hundreds of millions of devices are likely to be affected, said Jay Gazlay of CISA’s vulnerability management office in the call with critical infrastructure owners and operators.
CISA, a component of the Department of Homeland Security, is setting up a dedicated website as soon as Tuesday to provide information and counter “active disinformation,” said Eric Goldstein, executive assistant director for cybersecurity at the agency. The vulnerability would “allow remote attackers to easily take control of the system in which they exploit it,” he said.
The industry briefing was the latest alarm sounded by government officials from around the world, with CISA issuing a warning over the weekend alongside the likes of Austria, Canada, New Zealand and the U.K.
Goldstein said CISA expects all kinds of attackers will exploit the vulnerability, from cryptominers to ransomware groups and beyond. There is no evidence of an active of supply-chain attack “at this time,” he said.
It’s going to take “sustained effort” for organizations to become secure, with diligence needed even after applying patches from Apache, Gazlay said.
“There’s no single action that fixes this issue,” Gazlay said. It’s a mistake to think anyone is “going to be done with this in a week or two.”
Easterly’s advice was to make sure organizations have their security teams staffed over the holidays, take “all necessary steps to close easily exploitable weaknesses” and share even more information than usual with CISA.
Jen Easterly took over CISA in July but has worked on national security policy issues since at least 2002.
In the hour-long call, CISA officials took questions from representatives of banks, hospitals, local governments and more.