Log4j Zero Day Vulnerability: CISA Mitigation, Patch Guidance

Credit: Cybersecurity and Infrastructure Security Agency (CISA)

The U.S. CISA (Cybersecurity and Infrastructure Security Agency), in coordination with multiple agencies worldwide, issued updated Log4Shell and Log4j mitigation guidance on December 22, 2021.

The advisory noted:

  • Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems.
  • Log4Shell and CVE-2021-45046 are being actively exploited.

CISA issued the guidance in coordination with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

CISA Hosts Log4j Vulnerability Call With Key Security Stakeholders

Earlier, the CISA hosted a national call with critical infrastructure stakeholders on December 13, 2021. Among the topics covered: How to organize a mass effort to patch the Apache Log4j vulnerability, and mitigate potentially cyberattacks that exploit the Log4Shell issue.

Jen Easterly, director, CISA
Jen Easterly, director, CISA

In a prepared statement about the vulnerability, CISA Director Jen Easterly said on December 11, 2021:

“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”

Still, the worldwide Log4j software cleanup could take months, SC Media reported, because thousands of third-party software products run the code.

Amid that backdrop, the CISA has created a webpage (called Apache Log4j Vulnerability Guidance) and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability, the organization said. Both web destinations will be updated regularly as more information becomes against, the CISA indicated.

Log4j Vulnerability Mitigation: 4 Steps for MSPs and MSSPs

Ahead of the December 13 critical infrastructure call, the CISA offered this Log4j vulnerability mitigation guidance:

  1. Review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.
  2. Enumerate any external facing devices that have log4j installed.
  3. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
  4. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

Log4j Vulnerability: Cybersecurity and MSP Software Company Statements

Meanwhile, cybersecurity companies offered this Log4j vulnerability guidance. And MSP software companies such as ConnectWise, Datto, Kaseya, N-able, NinjaOne and Pax8 have issued Log4j statements about whether their platforms are safe from the vulnerability.

Note: Blog originally posted December 14, 2021. Updated thereafter with the latest CISA guidance.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.