1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-22 16:40:48 +00:00

Merge branch 'develop' into patch-2

This commit is contained in:
justmurphy 2021-12-23 16:30:56 -05:00 committed by GitHub
commit 12d3339ed4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -20,7 +20,8 @@ or imply their endorsement, recommendation, or favoring by CISA.
## Official CISA Guidance & Resources ##
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
- [ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
@ -35,17 +36,43 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.
## Mitigation Guidance ##
CISA urges organizations operating products marked as "Fixed" to immediately
implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
When updates are available, agencies must update software
using Log4j to the newest version, which is the most
effective and manageable long-term option. Where
updating is not possible, the following mitigating
measures can be considered as a temporary solution
and apply to the entire solution stack.
CISA urges organizations operating products marked as "Not Fixed" to immediately
implement alternate controls, including:
- **Disable Log4j library.** Disabling software using the
Log4j library is an effective measure, favoring
controlled downtime over adversary-caused issues.
This option could cause operational impacts and limit
visibility into other issues.
- **Disable JNDI lookups or disable remote codebases.**
This option, while effective, may involve
developer work and could impact functionality.
- **Disconnect affected stacks.** Solution stacks not
connected to agency networks pose a dramatically
lower risk from attack. Consider temporarily
disconnecting the stack from agency networks.
- **Isolate the system.** Create a “vulnerable network”
VLAN and segment the solution stack from the
rest of the enterprise network.
- **Deploy a properly configured Web Application
Firewall (WAF) in front of the solution stack.**
Deploying a WAF is an important, but incomplete,
solution. While threat actors will be able to
bypass this mitigation, the reduction in alerting
will allow an agency SOC to focus on a smaller
set of alerts.
- **Apply micropatch.** There are several micropatches
available. They are not a part of the official
update but may limit agency risk.
- Report incidents promptly to CISA and/or the FBI
[here](https://www.cisa.gov/uscert/report).
- Install a WAF with rules that automatically update.
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
to the Java Virtual Machine command for starting your application.
- Ensure that any alerts from a vulnerable device are immediately actioned.
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
For more information regarding CISA recommended mitigation measures please visit
[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
## Software List ##