The Cybersecurity and Infrastructure Security Agency (CISA) released a statement on Dec. 11 with guidance for organizations to protect themselves against the “log4j” critical vulnerability that surfaced over the weekend.
The agency also added the vulnerability to its list of known, exploited vulnerabilities, which obligates Federal agencies to speed action to patch or remediate the problem.
Log4j is a popular Java library widely used in software products as a logging framework. The Apache Software Foundation developed log4j and maintains it. Currently, the critical vulnerability is affecting log4j versions 2.0-beta9 to 2.14.1 and allows unauthenticated remote code execution by adversaries.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” CISA Director Jen Easterly said. “End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.”
CISA recommends all organizations upgrade to log4j version 2.15.0 or complete their appropriate vendor recommended mitigations. The agency also recommends organizations complete three additional steps regarding the vulnerability:
- “Enumerate any external facing devices that have log4j installed.
- Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
- Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.”
“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity,” Easterly said. “We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels Federal civilian agencies – and signals to non-Federal partners – to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability.”
Easterly also noted that the Joint Cyber Defense Collaborative has established a senior leadership group, including with its partners at the FBI and National Security Agency, to coordinate action and response for the vulnerability.
“To be clear, this vulnerability poses a severe risk,” Easterly added. “We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”