CISA Issued Emergency Directive for Apache Log4j Vulnerability

December 22, 2021 - CISA issued an emergency directive on Log4j (CVE-2021-44228) on December 17, 2021. CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.

This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems. Details on the exploit, possible IOCs, and mitigation methods are available here.


Required actions to be taken by agencies before December 23, 2021 are:

  1. Evaluate of all solution stacks with data input from internet

  2. Review all software assets identified from Step 1 against software assets listed at https://github.com/cisagov/log4j-affected-db to determine if those assets are affected by the vulnerability.

  3. Update affected assets from Step 3 for which patches are available. If not, mitigate using one or more measures available at link, or remove the affected assets from the network.

  4. For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns.

  5. Report all affected software to CISA including vendor, version and action taken by December 28, 2021.

  6. Confirm with CISA that remaining internet IP-accessible assets on file are up to date.