The US Department of Homeland Security's Cybersecurity Infrastructure and Security Agency (CISA) today ordered civilian federal agencies to take immediate steps to identify, patch, and mitigate Log4j vulnerabilities in their networks.

"CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems," the emergency directive states.

Federal agencies — not including the Defense Department or intelligence agencies — have until 5 p.m. on Dec. 23 to identify, patch, or apply mitigation measures on all Internet-facing systems vulnerable to Log4j or, if necessary, remove the affected software altogether. CISA said to "assume compromise" of systems that are affected, and agencies must monitor and investigate those systems for signs of attack.

Agencies are required to report all affected applications and actions taken to CISA by 5 p.m. EST on Dec. 28. 

Read the full emergency directive here.