From 041438752c4281806a4899d1effa845690e6165a Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:08:04 -0500 Subject: [PATCH 1/6] Add CISA rec mitigation measures --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 09cda7d..e98353c 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,8 @@ or imply their endorsement, recommendation, or favoring by CISA. ## Official CISA Guidance & Resources ## - [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) -- [ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a) +- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures) +- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a) - [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02) - [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability). @@ -35,17 +36,16 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -CISA urges organizations operating products marked as "Fixed" to immediately -implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). +When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack. -CISA urges organizations operating products marked as "Not Fixed" to immediately -implement alternate controls, including: +- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues. +- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality. +- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. +- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network. +- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts. +- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk. -- Install a WAF with rules that automatically update. -- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True` - to the Java Virtual Machine command for starting your application. -- Ensure that any alerts from a vulnerable device are immediately actioned. -- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report). +For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). ## Software List ## From b38a94f1acb239af3c393c7aeb91021f99f9e25f Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:10:42 -0500 Subject: [PATCH 2/6] Add CISA rec mitigation guidance --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e98353c..740ba3c 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ When updates are available, agencies must update software using Log4j to the new - Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues. - Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality. -- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. +- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. - Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network. - Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts. - Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk. From a5265aee3c2bccedf1a9bb1a2359ca83a020d4f2 Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:13:02 -0500 Subject: [PATCH 3/6] Add CISA rec mitigation guidance --- README.md | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 740ba3c..c9ea2ef 100644 --- a/README.md +++ b/README.md @@ -36,16 +36,29 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack. +When updates are available, agencies must update software using Log4j to the newest version, +which is the most effective and manageable long-term option. Where updating is not possible, +the following mitigating measures can be considered as a temporary solution and apply to the +entire solution stack. -- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues. -- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality. -- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks. -- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network. -- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts. -- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk. +- Disable Log4j library. Disabling software using the Log4j library is an effective measure, +favoring controlled downtime over adversary-caused issues. This option could cause operational +impacts and limit visibility into other issues. +- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve +developer work and could impact functionality. +- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically +lower risk from attack. Consider temporarily disconnecting the stack from agency networks. +- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the +rest of the enterprise network. +- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. +Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to +bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller +set of alerts. +- Apply micropatch. There are several micropatches available. They are not a part of the official +- update but may limit agency risk. -For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). +For more information regarding CISA recommended mitigation measures please visit +[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). ## Software List ## From ec099a7ddc77dd8288569927ced955b2726e5d0f Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:20:28 -0500 Subject: [PATCH 4/6] Add CISA rec mitigations --- README.md | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c9ea2ef..0c6f28d 100644 --- a/README.md +++ b/README.md @@ -36,26 +36,40 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -When updates are available, agencies must update software using Log4j to the newest version, -which is the most effective and manageable long-term option. Where updating is not possible, -the following mitigating measures can be considered as a temporary solution and apply to the -entire solution stack. +When updates are available, agencies must update software +using Log4j to the newest version, which is the most +effective and manageable long-term option. Where +updating is not possible, the following mitigating +measures can be considered as a temporary solution +and apply to the entire solution stack. -- Disable Log4j library. Disabling software using the Log4j library is an effective measure, -favoring controlled downtime over adversary-caused issues. This option could cause operational -impacts and limit visibility into other issues. -- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve +- **Disable Log4j library.** Disabling software using the +Log4j library is an effective measure, favoring +controlled downtime over adversary-caused issues. +This option could cause operational impacts and limit +visibility into other issues. +- **Disable JNDI lookups or disable remote codebases.** +This option, while effective, may involve developer work and could impact functionality. -- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically -lower risk from attack. Consider temporarily disconnecting the stack from agency networks. -- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the +- **Disconnect affected stacks.** Solution stacks not +connected to agency networks pose a dramatically +lower risk from attack. Consider temporarily +disconnecting the stack from agency networks. +- **Isolate the system.** Create a “vulnerable network” +VLAN and segment the solution stack from the rest of the enterprise network. -- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. -Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to -bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller +- **Deploy a properly configured Web Application +Firewall (WAF) in front of the solution stack.** +Deploying a WAF is an important, but incomplete, +solution. While threat actors will be able to +bypass this mitigation, the reduction in alerting +will allow an agency SOC to focus on a smaller set of alerts. -- Apply micropatch. There are several micropatches available. They are not a part of the official -- update but may limit agency risk. +- **Apply micropatch.** There are several micropatches +available. They are not a part of the official +update but may limit agency risk. +- Report incidents promptly to CISA and/or the FBI +[here](https://www.cisa.gov/uscert/report). For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). From d77bd5e7027c11dfd83427b5edffd8156105bb2d Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:22:22 -0500 Subject: [PATCH 5/6] Add CISA rec mitigation guidance --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c6f28d..24052a0 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ update but may limit agency risk. - Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report). -For more information regarding CISA recommended mitigation measures please visit +For more information regarding CISA recommended mitigation measures please visit [here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures). ## Software List ## From 75bda6ae8075085bb484b9c600ce4e046129e49f Mon Sep 17 00:00:00 2001 From: justmurphy <96064251+justmurphy@users.noreply.github.com> Date: Thu, 23 Dec 2021 16:24:27 -0500 Subject: [PATCH 6/6] Add CISA rec mitigation guidance --- README.md | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 24052a0..7e1dbfc 100644 --- a/README.md +++ b/README.md @@ -36,39 +36,39 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd. ## Mitigation Guidance ## -When updates are available, agencies must update software -using Log4j to the newest version, which is the most -effective and manageable long-term option. Where -updating is not possible, the following mitigating -measures can be considered as a temporary solution +When updates are available, agencies must update software +using Log4j to the newest version, which is the most +effective and manageable long-term option. Where +updating is not possible, the following mitigating +measures can be considered as a temporary solution and apply to the entire solution stack. -- **Disable Log4j library.** Disabling software using the -Log4j library is an effective measure, favoring -controlled downtime over adversary-caused issues. -This option could cause operational impacts and limit +- **Disable Log4j library.** Disabling software using the +Log4j library is an effective measure, favoring +controlled downtime over adversary-caused issues. +This option could cause operational impacts and limit visibility into other issues. -- **Disable JNDI lookups or disable remote codebases.** -This option, while effective, may involve +- **Disable JNDI lookups or disable remote codebases.** +This option, while effective, may involve developer work and could impact functionality. -- **Disconnect affected stacks.** Solution stacks not -connected to agency networks pose a dramatically -lower risk from attack. Consider temporarily +- **Disconnect affected stacks.** Solution stacks not +connected to agency networks pose a dramatically +lower risk from attack. Consider temporarily disconnecting the stack from agency networks. -- **Isolate the system.** Create a “vulnerable network” -VLAN and segment the solution stack from the +- **Isolate the system.** Create a “vulnerable network” +VLAN and segment the solution stack from the rest of the enterprise network. -- **Deploy a properly configured Web Application -Firewall (WAF) in front of the solution stack.** -Deploying a WAF is an important, but incomplete, -solution. While threat actors will be able to -bypass this mitigation, the reduction in alerting -will allow an agency SOC to focus on a smaller +- **Deploy a properly configured Web Application +Firewall (WAF) in front of the solution stack.** +Deploying a WAF is an important, but incomplete, +solution. While threat actors will be able to +bypass this mitigation, the reduction in alerting +will allow an agency SOC to focus on a smaller set of alerts. -- **Apply micropatch.** There are several micropatches -available. They are not a part of the official +- **Apply micropatch.** There are several micropatches +available. They are not a part of the official update but may limit agency risk. -- Report incidents promptly to CISA and/or the FBI +- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report). For more information regarding CISA recommended mitigation measures please visit