[LINK] Apache Log4j2

Stephen Loosley stephenloosley at outlook.com
Thu Dec 30 18:56:28 AEDT 2021


> Sent: Thursday, 30 December 2021 5:49 PM
> Subject: [LINK] Apache Log4j2
>
> If any of your programs contain a vulnerable version of Logj42, then they
> can be blasted with a remote code execution flaw attack ..


US orders federal government agencies to patch critical Log4j bug

(https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)

By Sergiu Gatlan  December 17, 2021 12:35 PM 0
https://www.bleepingcomputer.com/news/security/us-orders-federal-govt-agencies-to-patch-critical-log4j-bug/

US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days.

The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) today.

This is not surprising given the risk the ongoing exploitation of this vulnerability poses and seeing that the security flaw (tracked as CVE-2021-44228) has also recently been added Known Exploited Vulnerabilities Catalog, which also required expedited action in mitigating the bug until December 24.

"To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action," CISA Director Jen Easterly said at the time.

Log4Shell mitigation required until December 23
The new emergency directive (ED 22-02) further requires federal agencies to find all Internet-exposed devices vulnerable to Log4Shell exploits, patch them if a patch is available, mitigate the risk of exploitation, or remove vulnerable software from their networks until December 23.

CISA also says that all devices running software vulnerable to Log4Shell attacks should be assumed to be already compromised and requires looking for signs of post-exploitation activity and monitoring for any suspicious traffic patterns.

The federal agencies were also given five more days, until December 28 to report all affected Java products on their networks, including application and vendor names, the app's version, and the action taken to block exploitation attempts.

"Although ED 22-02 applies to FCEB agencies, CISA strongly recommends that all organizations review ED 22-02 for mitigation guidance," CISA added today.

Log4Shell mitigation guidance

Earlier this week, CISA published a dedicated page with technical details regarding the Log4Shell flaw and patching information for impacted organizations.

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

CISA asks organizations to upgrade to Log4j version 2.16.0 or immediately apply appropriate vendor-recommended mitigations.


More information about the Link mailing list