In a briefing call on Monday, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), told industry leaders that the recent exposure of the Apache Log4j vulnerability was one of the most serious, if not the worst, of her entire career. "We expect the vulnerability to be widely exploited by sophisticated actors and we only have limited time to take the necessary steps to reduce the likelihood of damage," she said. The issue is an uncertified remote execution vulnerability that could allow an intruder to take over the affected device."
In calls with critical infrastructure owners and carriers, Jay Gazlay of the CISA Vulnerability Management Office said hundreds of millions of devices would be affected. As part of the Department of Homeland Security, CISA will set up a dedicated website as soon as Tuesday to provide information and combat "positive disinformation." Eric Goldstein, the agency's executive assistant director for cybersecurity, said the vulnerability would "allow remote attackers to easily take control of the systems they exploited the vulnerability."
The industry brief is the latest alert from government officials around the world, and CISA issued a warning over the weekend alongside countries such as Austria, Canada, New Zealand and the United Kingdom. Goldstein said CISA expects attackers of all kinds, from encryptors to ransomware groups and more. "There is currently no evidence of a positive supply chain attack," he said.
Gazlay says businesses need "ongoing efforts" to become secure, even after applying Apache's patches. "No single action can solve this problem," Gazlay said. It would be a mistake to think that anyone "can fix this in a week or two".
![CISA Director: Log4j vulnerability has a huge impact The security industry faces a protracted battle[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)