The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve. From a report: The agency has added yesterday the Log4Shell bug (CVE-2021-44228) to its catalog of actively-exploited vulnerabilities, along with 12 other security flaws. According to this catalog, federal agencies have ten days at their disposal to test which of their internal apps and servers utilize the Log4j Java library, check if systems are vulnerable to the Log4Shell exploit, and patch affected servers. All of this must be done by December 24, according to a timeline provided in the catalog. In addition, CISA has also launched yesterday a dedicated web page providing guidance to the US public and private sector regarding the Log4Shell vulnerability.
Read more of this story at Slashdot.