1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-22 16:40:48 +00:00

Merge branch 'develop' into patch-1

This commit is contained in:
justmurphy 2021-12-29 08:45:52 -05:00 committed by GitHub
commit 6b02f19780
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 666 additions and 195 deletions

View file

@ -5,7 +5,7 @@ This repository provides
and an overview of related software regarding the Log4j vulnerability
(CVE-2021-44228). CISA encourages users and administrators to review the
[official Apache release](https://logging.apache.org/log4j/2.x/security.html)
and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.
and upgrade to Log4j 2.17.1 or apply the recommended mitigations immediately.
The information in this repository is provided "as is" for informational
purposes only and is being assembled and updated by CISA through
@ -20,11 +20,14 @@ or imply their endorsement, recommendation, or favoring by CISA.
## Official CISA Guidance & Resources ##
- [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
- [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
- [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).
## CISA Current Activity Alerts ##
- [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/mitigating-log4shell-and-other-log4j-related-vulnerabilities)
- [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)
- [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
- [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
@ -33,17 +36,43 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.
## Mitigation Guidance ##
CISA urges organizations operating products marked as "Fixed" to immediately
implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
When updates are available, agencies must update software
using Log4j to the newest version, which is the most
effective and manageable long-term option. Where
updating is not possible, the following mitigating
measures can be considered as a temporary solution
and apply to the entire solution stack.
CISA urges organizations operating products marked as "Not Fixed" to immediately
implement alternate controls, including:
- **Disable Log4j library.** Disabling software using the
Log4j library is an effective measure, favoring
controlled downtime over adversary-caused issues.
This option could cause operational impacts and limit
visibility into other issues.
- **Disable JNDI lookups or disable remote codebases.**
This option, while effective, may involve
developer work and could impact functionality.
- **Disconnect affected stacks.** Solution stacks not
connected to agency networks pose a dramatically
lower risk from attack. Consider temporarily
disconnecting the stack from agency networks.
- **Isolate the system.** Create a “vulnerable network”
VLAN and segment the solution stack from the
rest of the enterprise network.
- **Deploy a properly configured Web Application
Firewall (WAF) in front of the solution stack.**
Deploying a WAF is an important, but incomplete,
solution. While threat actors will be able to
bypass this mitigation, the reduction in alerting
will allow an agency SOC to focus on a smaller
set of alerts.
- **Apply micropatch.** There are several micropatches
available. They are not a part of the official
update but may limit agency risk.
- Report incidents promptly to CISA and/or the FBI
[here](https://www.cisa.gov/uscert/report).
- Install a WAF with rules that automatically update.
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
to the Java Virtual Machine command for starting your application.
- Ensure that any alerts from a vulnerable device are immediately actioned.
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
For more information regarding CISA recommended mitigation measures please visit
[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).
## Software List ##

File diff suppressed because it is too large Load diff