House Energy and Commerce Committee Chairman Frank Pallone, D-N.J., Ranking Member Cathy McMorris Rodgers, R-Wash., and subcommittee leaders sent letters on August 10 to five agencies inquiring about their progress in addressing the Apache Log4j vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) first warned agencies of the Log4j vulnerability in December. Noting reports of thousands of known exploits of the vulnerability, the members of Congress sent letters to the Departments of Commerce, Energy, Health and Human Services, the Environmental Protection Agency, and the National Telecommunications and Information Administration to request briefings related to Log4j.
“Because the Log4j vulnerability is widespread and can affect enterprise applications, embedded systems, and their sub-components, the committee is seeking to gain a comprehensive understanding of the scope of the vulnerability and actions being taken to mitigate its effects,” the committee leaders wrote.
“The risk to Federal network security is especially concerning because nation-state threat actors have attempted to exploit this Log4j vulnerability,” they added.
In their briefing requests, the members of Congress said they want to discuss questions such as when did the agencies first learn of the Log4j vulnerability, what actions have they taken to address it, and what tools they employ to detect the vulnerability.
They also want to know if the agencies use software that utilizes Apache Log4j, if they have experienced a compromise or exploitation of the vulnerability, if they have a specific plan to identify and remediate such a cyber threat, and what incident alert thresholds the agencies have for potential compromises.
In a report issued in June, the Cyber Safety Review Board (CSRB) praised CISA for its response to the ongoing Log4j software vulnerability, and found that to date there have not been any significant Log4j-based attacks on U.S. critical infrastructure.
The House Energy and Commerce letters to the agencies were also signed by Oversight and Investigations Subcommittee Chair Diana DeGette, D-Colo., Subcommittee Ranking Member Morgan Griffith, R-Va., Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky, D-Ill., Subcommittee Ranking Member Gus Bilirakis, R-Fla., Communications and Technology Chairman Mike Doyle, D-Pa., Subcommittee Ranking Member Bob Latta, R-Ohio, Energy Subcommittee Chairman Bobby Rush, D-Ill., Subcommittee Ranking Member Fred Upton, R-Mich., Environment and Climate Change Subcommittee Chairman Paul Tonko, D-N.Y., Subcommittee Ranking Member David McKinley, R-W.Va., Health Subcommittee Chairwoman Anna G. Eshoo, D-Calif., and Subcommittee Ranking Member Brett Guthrie, R-Ky.