Website review

Apache Log4j Vulnerability Guide | CISA

Immediate actions to protect against Log4j exploitation
• Discover all internet-accessible assets that allow data inputs and use the Java Log4j library anywhere in the stack.
• Discover all assets that use the Log4j library.
• Update or isolate affected assets. Assume a compromise, identify common sources and post-exploit activities, and look for signs of malicious activity.
• Monitor strange traffic patterns (eg JNDI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).

Summary

To note: CISA will continue to update this webpage as well as our Community GitHub repository as we have more advice to give and additional supplier information to provide.

CISA and its partners, through the Joint Cyber ​​Defense Collaborativerespond to widespread active exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 through 2.14.1, called “Log4Shell”. Log4j is widely used in a variety of consumer and enterprise services, websites and applications, as well as operational technology products, to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

(Updated December 28, 2021) Organizations are encouraged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7), and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities Webpage for updates and mitigation advice.

To see CISA Joint Alert AA21-356A: Mitigation of Log4Shell and other Log4j-related vulnerabilities for more information.

In order for the vulnerabilities to be addressed in products and services that use the affected versions of Log4j, the maintainers of those products and services must implement these security updates. Users of these products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerabilities and the likelihood of increased exploitation by sophisticated cyber threats, CISA urges vendors and users to take the following actions.

  • Sellers
    • Immediately identify, mitigate and update affected products using Log4j to the latest version.
    • Inform your end users of products that contain these vulnerabilities and strongly encourage them to prioritize software updates.
  • Organizations affected

Technical details

The CVE-2021-44228 RCE vulnerability, affecting Apache’s Log4j library, versions 2.0-beta9 through 2.14.1, exists in the action that Java Naming and Directory Interface (JNDI) takes to resolve variables. According to List CVE-2021-44228affected versions of Log4j contain JNDI features, such as message lookup substitution, that “do not protect against adversary-controlled LDAP”. [Lightweight Directory Access Protocol] and other JNDI-related endpoints.”

An adversary can exploit CVE-2021-44228 by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control of the system. The adversary can then steal information, launch ransomware, or conduct other malicious activities.

Actions for organizations running products with Log4j

CISA recommends that the entities concerned:

  • Determine if your organization’s products with Log4j are vulnerable following the table below, using the two verification methods:
  • Give your opinion on Apache Log4j Security Vulnerabilities Page for more information and, if applicable, apply the workaround provided.
  • Immediately apply available patches.
    • Prioritize patches, starting with mission-critical systems, Internet-connected systems and networked servers. Then, prioritize patching other affected IT and operational assets.
    • As indicated above, Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability requires agencies to immediately remediate vulnerable assets accessible on the Internet.
  • Perform a security review to determine if there is a security issue or compromise. The log files of all services using the affected Log4j versions will contain user-controlled strings.
  • Consider reporting compromises immediately at CISA and FBI.

Resources

This information is provided “as is” for informational purposes only. CISA does not endorse any company, product or service referenced below.

Current list of affected products and devices

CISA maintains a Community GitHub repository which provides a list of publicly available information and advisories provided by the vendor regarding the Log4j vulnerability.

Continuous sources for detection rules

CISA will update the sources of the detection rules as we get them.

For detection rules, see Florian Roth’s GitHub page, RCE log4j exploit detection. To note: due to the urgency of sharing this information, CISA has not yet validated this content.

For a list of hashes to determine if a Java application is running a vulnerable version of Log4j, see Rob Fuller’s GitHub page, CVE-2021-44228-Log4Shell-Hashes. To note: due to the urgency of sharing this information, CISA has not yet validated this content.

Mitigation advice from JCDC partners

Additional Resources


Source link