Inform your end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.Immediately identify, mitigate, and update affected products using Log4j to the latest version.Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions. Users of such products and services should refer to the vendors of these products/services for security updates. In order for vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. See CISA's joint Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for more information. (Updated December 28, 2021)Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance. If an asset cannot be patched or mitigated, consider removing it from the network. If a product cannot be updated, you should apply the temporary mitigation measures from the list at Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. Note: while certain mitigation measures, such as removing the vulnerable class, can prevent exploitation, tracking each asset’s mitigation status adds administrative overhead so patching is preferred. Patching over mitigation: If an update is available, it should be applied immediately.Organizations should continue to review the CISA log4j vulnerable software database and cross reference against used software. Newly vulnerable 3rd party software. Organizations may lack insight into certain applications, such as Software as a Service (SaaS) solutions and other cloud resources.High fidelity scanning. Consider using file system scanning scripts to identify vulnerable Log4j files or use vulnerability scanners that leverage file scanning.This should include scanning (network and host) and comparing installed software with software listed in CISA’s Log4j vulnerable software database. Continuous enumeration and analysis: Organizations need to perform comprehensive analysis to fully enumerate all Log4J vulnerabilities.For long term mitigation, ensure the prevalence of log4j in all assets is considered and accounted for, including internally developed software and non-internet facing technology stacks. Scope of covered assets: Due to the limited availability of initial information, identification and mitigation efforts may have been scoped to a limited number of an organization’s assets. (Updated April 8, 2022) Organizations should continue identifying and remediating vulnerable Log4j instances within their environments and plan for long term vulnerability management. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system. Note: CISA will continue to update this webpage as well as our community-sourced GitHub repository as we have further guidance to impart and additional vendor information to provide.ĬISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability ( CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications-as well as in operational technology products-to log security and performance information.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |