r3pek/log4j-affected-db
1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-22 16:40:48 +00:00
Code Releases Activity

Update README.md

Browse source
This commit is contained in:
Chris Sullivan 2021-12-15 14:10:32 -05:00 committed by GitHub
parent 7dbb12e866
commit 77428c4b9d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -19,6 +19,15 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.
</br>
CISA will maintain a list of all publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. This list is not a full list and will be updated continuously. If you have any additional information to share relevant to the Log4j vulnerability, please feel free to open an issue [here](https://github.com/cisagov/log4j-affected-db/issues). We have a template available for your submission. Please also feel free to submit a pull request.
# Mitigation Guidance
CISA urges organizations operating products marked as "Fixed" to immediately implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
CISA urges organizations operating products marked as "Not Fixed" to immediately implement alternate controls, including:
* Install a WAF with rules that automatically update.
* Set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application.
* Ensure that any alerts from a vulnerable device are immediately actioned.
* Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
# Status Descriptions
|Status| Description |