|
|
|
@ -36,39 +36,39 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. |
|
|
|
|
|
|
|
|
|
|
|
## Mitigation Guidance ## |
|
|
|
## Mitigation Guidance ## |
|
|
|
|
|
|
|
|
|
|
|
When updates are available, agencies must update software |
|
|
|
When updates are available, agencies must update software |
|
|
|
using Log4j to the newest version, which is the most |
|
|
|
using Log4j to the newest version, which is the most |
|
|
|
effective and manageable long-term option. Where |
|
|
|
effective and manageable long-term option. Where |
|
|
|
updating is not possible, the following mitigating |
|
|
|
updating is not possible, the following mitigating |
|
|
|
measures can be considered as a temporary solution |
|
|
|
measures can be considered as a temporary solution |
|
|
|
and apply to the entire solution stack. |
|
|
|
and apply to the entire solution stack. |
|
|
|
|
|
|
|
|
|
|
|
- **Disable Log4j library.** Disabling software using the |
|
|
|
- **Disable Log4j library.** Disabling software using the |
|
|
|
Log4j library is an effective measure, favoring |
|
|
|
Log4j library is an effective measure, favoring |
|
|
|
controlled downtime over adversary-caused issues. |
|
|
|
controlled downtime over adversary-caused issues. |
|
|
|
This option could cause operational impacts and limit |
|
|
|
This option could cause operational impacts and limit |
|
|
|
visibility into other issues. |
|
|
|
visibility into other issues. |
|
|
|
- **Disable JNDI lookups or disable remote codebases.** |
|
|
|
- **Disable JNDI lookups or disable remote codebases.** |
|
|
|
This option, while effective, may involve |
|
|
|
This option, while effective, may involve |
|
|
|
developer work and could impact functionality. |
|
|
|
developer work and could impact functionality. |
|
|
|
- **Disconnect affected stacks.** Solution stacks not |
|
|
|
- **Disconnect affected stacks.** Solution stacks not |
|
|
|
connected to agency networks pose a dramatically |
|
|
|
connected to agency networks pose a dramatically |
|
|
|
lower risk from attack. Consider temporarily |
|
|
|
lower risk from attack. Consider temporarily |
|
|
|
disconnecting the stack from agency networks. |
|
|
|
disconnecting the stack from agency networks. |
|
|
|
- **Isolate the system.** Create a “vulnerable network” |
|
|
|
- **Isolate the system.** Create a “vulnerable network” |
|
|
|
VLAN and segment the solution stack from the |
|
|
|
VLAN and segment the solution stack from the |
|
|
|
rest of the enterprise network. |
|
|
|
rest of the enterprise network. |
|
|
|
- **Deploy a properly configured Web Application |
|
|
|
- **Deploy a properly configured Web Application |
|
|
|
Firewall (WAF) in front of the solution stack.** |
|
|
|
Firewall (WAF) in front of the solution stack.** |
|
|
|
Deploying a WAF is an important, but incomplete, |
|
|
|
Deploying a WAF is an important, but incomplete, |
|
|
|
solution. While threat actors will be able to |
|
|
|
solution. While threat actors will be able to |
|
|
|
bypass this mitigation, the reduction in alerting |
|
|
|
bypass this mitigation, the reduction in alerting |
|
|
|
will allow an agency SOC to focus on a smaller |
|
|
|
will allow an agency SOC to focus on a smaller |
|
|
|
set of alerts. |
|
|
|
set of alerts. |
|
|
|
- **Apply micropatch.** There are several micropatches |
|
|
|
- **Apply micropatch.** There are several micropatches |
|
|
|
available. They are not a part of the official |
|
|
|
available. They are not a part of the official |
|
|
|
update but may limit agency risk. |
|
|
|
update but may limit agency risk. |
|
|
|
- Report incidents promptly to CISA and/or the FBI |
|
|
|
- Report incidents promptly to CISA and/or the FBI |
|
|
|
[here](https://www.cisa.gov/uscert/report). |
|
|
|
[here](https://www.cisa.gov/uscert/report). |
|
|
|
|
|
|
|
|
|
|
|
For more information regarding CISA recommended mitigation measures please visit |
|
|
|
For more information regarding CISA recommended mitigation measures please visit |
|
|
|
|
justmurphy
2 years ago
committed by
GitHub