Apache Log4j Vulnerability Guidance US/Canada

US GuidanceCanada Guidance
CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution vulnerability in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as «Log4Shell» and «Logjam.» Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information.
Immediately identify, mitigate, and patch affected products using Log4j.
Technical Details
This RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface takes to resolve variables.
CISA recommends affected entities
Review Apache’s Log4j Security Vulnerabilities page for additional information.
Apply available patches immediately. See CISA’s upcoming GitHub repository for known affected products and patch information.
Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers.
CISA will update sources for detection rules as we obtain them.
Joint Cybersecurity Advisory – Technical Approaches to Uncovering and Remediating Malicious Activity provides general incident response guidance.
On 10 December 2021, Apache released a Security Advisory Footnote1Footnote2 highlighting a critical remote code execution vulnerability in Log4j, affecting versions between 2.0-beta9 to 2.14.1. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. Open-source reporting indicates that the critical vulnerability, tracked as CVE-2021-44228 Footnote3, is actively being scanned for and exploited. Due to the Log4j library’s widespread use in popular frameworks, many third-party apps may also be vulnerable to exploitation.

Update 1
The Apache Log4j library allows for developers to log output from various data sources within their applications. In vulnerable versions of Log4j, logged user data containing JNDI lookups to actor-controlled endpoints could be performed, which would result in the server loading and executing arbitrary code from the endpoint. Apache has released Log4j version 2.15, which addresses this vulnerability. In addition, Apache has provided workarounds for previous releases when upgrading is not possible.

The Cyber Centre encourages those organizations with applications leveraging Apache Log4j to

Upgrade to Log4j version 2.15.0 where possible. Apply the suggested workarounds from Apache if upgrading is not immediately possible.

Leave a Reply

Your email address will not be published. Required fields are marked *