log4j-affected-db/README.md

# CISA Log4j (CVE-2021-44228) Vulnerability Guidance #

This repository provides
[CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
and an overview of related software regarding the Log4j vulnerability
(CVE-2021-44228). CISA encourages users and administrators to review the
[official Apache release](https://logging.apache.org/log4j/2.x/security.html)
and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.

The information in this repository is provided "as is" for informational
purposes only and is being assembled and updated by CISA through
collaboration with the broader cybersecurity community.  Inquire with the
manufacturer or their respective online resources for the most up-to-date
information regarding any specific product listed. CISA does not endorse
any commercial product or service, including any subjects of analysis.
Any reference to specific commercial products, processes, or services by
service mark, trademark, manufacturer, or otherwise, does not constitute
or imply their endorsement, recommendation, or favoring by CISA.

## Official CISA Guidance & Resources ##

- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).

## CISA Current Activity Alerts ##

- [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/mitigating-log4shell-and-other-log4j-related-vulnerabilities)
- [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)

National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)

## Mitigation Guidance ##

When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack.

- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues.
- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality.
- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks.
- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network.
- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts.
- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk.

For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).

## Software List ##

To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00			`# CISA Log4j (CVE-2021-44228) Vulnerability Guidance #`

Fix spacing isssues 2021-12-20 14:23:16 +00:00			`This repository provides`
			`[CISA's guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)`
			`and an overview of related software regarding the Log4j vulnerability`
Add link to webpage at top 2021-12-20 14:13:52 +00:00			`(CVE-2021-44228). CISA encourages users and administrators to review the`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00			`[official Apache release](https://logging.apache.org/log4j/2.x/security.html)`
Fix version # for update 2021-12-20 15:51:15 +00:00			`and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00
Remove whitespace 2021-12-17 11:18:00 +00:00			`The information in this repository is provided "as is" for informational`
			`purposes only and is being assembled and updated by CISA through`
			`collaboration with the broader cybersecurity community. Inquire with the`
			`manufacturer or their respective online resources for the most up-to-date`
			`information regarding any specific product listed. CISA does not endorse`
			`any commercial product or service, including any subjects of analysis.`
			`Any reference to specific commercial products, processes, or services by`
			`service mark, trademark, manufacturer, or otherwise, does not constitute`
Add language 2021-12-17 11:16:44 +00:00			`or imply their endorsement, recommendation, or favoring by CISA.`

Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00			`## Official CISA Guidance & Resources ##`

			`- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)`
Add CISA rec mitigation measures 2021-12-23 21:08:04 +00:00			`- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)`
			`- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)`
Add CA for ED 22-02 2021-12-20 14:11:39 +00:00			`- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00			`- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).`

			`## CISA Current Activity Alerts ##`

Add CA & Alert 12/22 2021-12-22 15:24:50 +00:00			`- [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/mitigating-log4shell-and-other-log4j-related-vulnerabilities)`
Add CA for ED 22-02 2021-12-20 14:11:39 +00:00			`- [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)`
Updating Cisco Products Updated the disposition and status of the investigation of several Cisco products. 2021-12-16 21:39:37 +00:00			`- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00			`- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)`
Create sample table 2021-12-13 15:27:47 +00:00
Updating Cisco Products Updated the disposition and status of the investigation of several Cisco products. 2021-12-16 21:39:37 +00:00			`National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)`

Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00			`## Mitigation Guidance ##`
Update README.md 2021-12-15 19:10:32 +00:00
Add CISA rec mitigation measures 2021-12-23 21:08:04 +00:00			`When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack.`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00
Add CISA rec mitigation measures 2021-12-23 21:08:04 +00:00			`- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues.`
			`- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality.`
Add CISA rec mitigation guidance 2021-12-23 21:10:42 +00:00			`- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks.`
Add CISA rec mitigation measures 2021-12-23 21:08:04 +00:00			`- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network.`
			`- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts.`
			`- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk.`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00
Add CISA rec mitigation measures 2021-12-23 21:08:04 +00:00			`For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).`
Update contents to pass pre-commit hooks 2021-12-15 20:24:47 +00:00
			`## Software List ##`
Add CA & Webpage data 2021-12-14 12:50:56 +00:00
Update README.md with list pointer 2021-12-21 22:47:13 +00:00			`To view the full list of vendors & software [click here](./SOFTWARE-LIST.md).`