Systemic Vulnerabilities in Information Technology--Log4Shell [Updated December 21, 2021] [open pdf - 693KB]
From the Document: "On December, 9, 2021 a critical vulnerability [hyperlink] in software used by millions of internet servers was discovered. Since its discovery both criminals and nation-state actors have reportedly [hyperlink] exploited it. It is unclear how many entities are vulnerable, but it is presumed [hyperlink] there are many. This CRS [Congressional Research Service] Insight describes the vulnerability and considerations for federal government response. [...] The private sector has taken several steps to minimize the exploitation of Log4Shell. Companies have produced security alerts [hyperlink] to inform their customers and their broader community. Companies have updated their anti-malware [hyperlink] programs to detect potential exploits of the vulnerability. Others have deployed rules [hyperlink] to detect the types of queries that would compromise servers. Some have published [hyperlink] mitigation guidance. The federal government has also moved to mitigate this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) created a new website [hyperlink] with guidance on the vulnerability. CISA is using the Joint Cyber Defense Collaborative (JCDC [hyperlink]) to manage the incident. [...] Per Emergency Directive 22-02 [hyperlink], agencies have until December 23 to remediate the vulnerability in their internet-connected systems. [...] Policymakers may choose to explore the creation of a specific capability to address systemic vulnerabilities in the future."
CRS Insight, IN11824
Congressional Research Service: https://crsreports.congress.gov/