Log4Shell and CVE-2021-45046 are being actively exploited.
CISA issued the guidance in coordination with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
CISA Hosts Log4j Vulnerability Call With Key Security Stakeholders
Earlier, the CISA hosted a national call with critical infrastructure stakeholders on December 13, 2021. Among the topics covered: How to organize a mass effort to patch the Apache Log4j vulnerability, and mitigate potentially cyberattacks that exploit the Log4Shell issue.
“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
Amid that backdrop, the CISA has created a webpage (called Apache Log4j Vulnerability Guidance) and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability, the organization said. Both web destinations will be updated regularly as more information becomes against, the CISA indicated.
Log4j Vulnerability Mitigation: 4 Steps for MSPs and MSSPs
Ahead of the December 13 critical infrastructure call, the CISA offered this Log4j vulnerability mitigation guidance:
Review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.
Enumerate any external facing devices that have log4j installed.
Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
Log4j Vulnerability: Cybersecurity and MSP Software Company Statements