FYSA
CISA and its partners, through the Joint Cyber Defense
Collaborative<https://www.cisa.gov/jcdc>, are tracking and responding to
active, widespread exploitation of a critical remote code execution
vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions
2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and
enterprise services, websites, and applications-as well as in operational
technology products-to log security and performance information. An
unauthenticated remote actor could exploit this vulnerability to take control
of an affected system.
In response, CISA has created a webpage, Apache Log4j Vulnerability
Guidance<https://cisa.gov/uscert/apache-log4j-vulnerability-guidance>, and is
actively maintaining a community-sourced GitHub
repository<https://github.com/cisagov/log4j-affected-db> of publicly available
information and vendor-supplied advisories regarding the Log4j vulnerability.
CISA will continually update both the webpage and the GitHub repository.
CISA urges organizations to review its Apache Log4j Vulnerability
Guidance<https://cisa.gov/uscert/apache-log4j-vulnerability-guidance> webpage
and upgrade to Log4j version 2.15.0, or apply the appropriate vendor
recommended mitigations immediately.
Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse@xxxxxxxxxxxx<mailto:theresa.masse@xxxxxxxxxxxx>
[cid:image002.png@01D7F03C.67A3A1C0]