The Cybersecurity and Infrastructure Security Agency (CISA) and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution vulnerability in Apache’s Log4j software library.
Specifically, CISA flagged versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam."
Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications, as well as in operational technology products, to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
Apache released Log4j version 2.15.0 in a security update to address this vulnerability.
“However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update,” CISA noted.
CISA said that users of such products and services should refer to the vendors of these products and services for security updates.
Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urged vendors and users to take several actions.
Vendors should immediately identify, mitigate, and patch affected products using Log4j and inform their end users of products that contain this vulnerability and strongly urge them to prioritize software updates, CISA said.
With respect to affected organizations, CISA said such organizations should “enumerate external-facing devices that have Log4j” and ensure security operations center actions alerts on these devices and install a web application firewall with rules that automatically update.
In addition, affected organizations should review CISA's upcoming GitHub repository for a list of affected vendor information and apply software updates as soon as they are available.
CISA also provides guidance for organizations running products with Log4j.