Federal agencies have until Dec. 24 to apply fixes for Log4Shell vulnerability

DHS directives give departments 15 days to respond to critical vulnerabilities of this type.
cybersecurity alert
(Getty Images)

Federal agencies have 15 days to respond to the Log4Shell system security flaw following its designation as a critical vulnerability by the Cybersecurity and Infrastructure Security Agency.

CISA on Monday added the exploit to its catalog and identified it as a critical remote code execution (RCE) flaw. The DHS sub-agency has also launched a webpage hosting guidance for how agencies and private sector companies should respond to the vulnerability.

Under prior binding operational directives issued by the Department of Homeland Security, agencies have 15 days to respond to vulnerabilities once they have been designated as “critical risk,” and 30 days for “high risk” vulnerabilities.

CISA in April 2019 issued binding operational directive 19-02, which sets out the timeline that agencies have to take action once a flaw has been identified.


Log4Shell is a zero-day vulnerability that emerged last Thursday when it was exploited in remote code compromises against the servers of video game Minecraft, Ars Technica earlier reported.

The vulnerability affects much of the internet, and since its disclosure last Thursday cybersecurity firms have detected active scanning by actors seeking to identify vulnerable servers.

Log4Shell exploits the widely used, Java-based logging tool Log4j, which has the ability to perform network lookups and to execute any executable payload with full privileges of the main program.

“The scope of this vulnerability is such that there is no doubt there will be impact in federal agencies,” said Matt Olney, director of threat intelligence and interdiction at Cisco Talos.

He added: “This is a test for any organization, but particularly organizations at scale, as to how quickly they can identify and mitigate the risk in their networks, while fending off active attacks as well.”


CISA last month issued a separate binding operational directive that gave agencies 60 days to review and update vulnerability management procedures.

Latest Podcasts