Merge branch 'develop' into cloud_services

2 years ago · c9610b8e52
parent c92ba2ea0f a01efbcbb6
commit c9610b8e52
5 changed files with 812 additions and 207 deletions
--- a/.github/ISSUE_TEMPLATE/product-submission-form.yml
+++ b/.github/ISSUE_TEMPLATE/product-submission-form.yml
@ -0,0 +1,82 @@
+---
+name: Submit a Product
+description: Submit a product to the database
+title: "[Product Submission]: <vendor> - <product>"
+body:
+  - type: input
+    id: product-vendor
+    attributes:
+      label: Product vendor
+      description: Who is the vendor for the product?
+      placeholder: Cisco, Dell, IBM, etc.
+    validations:
+      required: true
+  - type: input
+    id: product-name
+    attributes:
+      label: Product name
+      description: What is the name of the product?
+      placeholder: AppDynamics, BigFix Inventory, Centera, etc.
+    validations:
+      required: true
+  - type: input
+    id: product-versions
+    attributes:
+      label: Product version(s)
+      description: What version(s) of the product is (are) affected?
+      placeholder: v2; 1.5; >3; >=4; >5, <6; etc.
+    validations:
+      required: true
+  - type: dropdown
+    id: product-status
+    attributes:
+      label: Product status
+      description: What is the current status of the affected product?
+      options:
+        - Unknown
+        - Affected
+        - Not Affected
+        - Fixed
+        - Under Investigation
+    validations:
+      required: true
+  - type: markdown
+    attributes:
+      value: |
+        Please use the information below when selecting a status.
+
+        - Unknown - Status unknown. Default choice.
+        - Affected - Reported to be affected by CVE-2021-44228.
+        - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
+          further action necessary.
+        - Fixed - Patch and/or mitigations available (see provided links).
+        - Under Investigation - Vendor investigating status.
+  - type: dropdown
+    id: product-updated
+    attributes:
+      label: Product update
+      description: Is there an update available for the product?
+      options:
+        - Available
+        - Not Available
+    validations:
+      required: true
+  - type: input
+    id: product-update-link
+    attributes:
+      label: Product update link
+      description: Where can the update be found, if one is available?
+  - type: input
+    id: product-last-updated
+    attributes:
+      label: Last updated
+      description: When was the product last updated?
+      placeholder: "2021-12-06"
+  - type: textarea
+    id: product-notes
+    attributes:
+      label: Notes
+  - type: textarea
+    id: product-references
+    attributes:
+      label: References
--- a/.github/ISSUE_TEMPLATE/product-submission-template.md
+++ b/.github/ISSUE_TEMPLATE/product-submission-template.md
@ -1,27 +0,0 @@
---
-name: Product Submission Template
-about: Template for product submissions of all publicly available information
-  and vendor-supplied advisories regarding the log4j vulnerability.
---
-# Submission Template #
-
-Please provide the following information.
-
- Vendor Name
- Product Name
- Version(s) affected
- Status: Please choose from one of the following - Unknown, Affected,
-  Not Affected, Fixed, and Under Investigation.
- Update Available: Yes or No (If Yes, please provide link to information)
- Notes
- References
- Last Updated: Date of last update
-
-For questions about choice for status, please see the information below.
-
- Unknown - Status unknown. Default choice.
- Affected - Reported to be affected by CVE-2021-44228.
- Not Affected - Reported to NOT be affected by CVE-2021-44228 and no further
-  action necessary.
- Fixed - Patch and/or mitigations available (see provided links).
- Under Investigation - Vendor investigating status.
--- a/.github/ISSUE_TEMPLATE/product-update-form.yml
+++ b/.github/ISSUE_TEMPLATE/product-update-form.yml
@ -0,0 +1,80 @@
+---
+name: Update a Product
+description: Update information about a product in the database
+title: "[Product Update]: <vendor> - <product>"
+body:
+  - type: input
+    id: product-vendor
+    attributes:
+      label: Product vendor
+      description: Who is the vendor for the product?
+      placeholder: Cisco, Dell, IBM, etc.
+    validations:
+      required: true
+  - type: input
+    id: product-name
+    attributes:
+      label: Product name
+      description: What is the name of the product?
+      placeholder: AppDynamics, BigFix Inventory, Centera, etc.
+    validations:
+      required: true
+  - type: textarea
+    id: update-context
+    attributes:
+      label: Context
+      description: Please provide context around the update.
+  - type: input
+    id: product-versions
+    attributes:
+      label: Product version(s)
+      description: What version(s) of the product are affected?
+  - type: dropdown
+    id: product-status
+    attributes:
+      label: Product status
+      description: What is the current status of the affected product?
+      options:
+        - Unknown
+        - Affected
+        - Not Affected
+        - Fixed
+        - Under Investigation
+  - type: markdown
+    attributes:
+      value: |
+        Please use the information below when selecting a status.
+
+        - Unknown - Status unknown. Default choice.
+        - Affected - Reported to be affected by CVE-2021-44228.
+        - Not Affected - Reported to NOT be affected by CVE-2021-44228 and no
+          further action necessary.
+        - Fixed - Patch and/or mitigations available (see provided links).
+        - Under Investigation - Vendor investigating status.
+  - type: dropdown
+    id: product-updated
+    attributes:
+      label: Product update
+      description: Is there an update available for the product?
+      options:
+        - Available
+        - Not Available
+  - type: input
+    id: product-update-link
+    attributes:
+      label: Product update link
+      description: Where can the update be found, if one is available?
+  - type: input
+    id: product-last-updated
+    attributes:
+      label: Last updated
+      description: When was the product last updated?
+      placeholder: "2021-12-06"
+  - type: textarea
+    id: product-notes
+    attributes:
+      label: Notes
+  - type: textarea
+    id: product-references
+    attributes:
+      label: References
--- a/README.md
+++ b/README.md
@ -5,7 +5,7 @@ This repository provides
 and an overview of related software regarding the Log4j vulnerability
 (CVE-2021-44228). CISA encourages users and administrators to review the
 [official Apache release](https://logging.apache.org/log4j/2.x/security.html)
-and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.
+and upgrade to Log4j 2.17.1 or apply the recommended mitigations immediately.

 The information in this repository is provided "as is" for informational
 purposes only and is being assembled and updated by CISA through
@ -20,11 +20,14 @@ or imply their endorsement, recommendation, or favoring by CISA.
 ## Official CISA Guidance & Resources ##

 - [CISA Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
+- [CISA ED 22-02: Apache Log4j Recommended Mitigation Measures](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures)
+- [CISA ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
 - [Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability](https://www.cisa.gov/emergency-directive-22-02)
 - [Statement from CISA Director Easterly on “Log4j” Vulnerability](https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability).

 ## CISA Current Activity Alerts ##

+- [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/mitigating-log4shell-and-other-log4j-related-vulnerabilities)
 - [CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache)
 - [Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce)
 - [CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228](https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228)
@ -33,17 +36,43 @@ National Vulnerability Database (NVD) Information: [CVE-2021-44228](https://nvd.

 ## Mitigation Guidance ##

-CISA urges organizations operating products marked as "Fixed" to immediately
-implement listed patches/mitigations [here](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance).
+When updates are available, agencies must update software
+using Log4j to the newest version, which is the most
+effective and manageable long-term option. Where
+updating is not possible, the following mitigating
+measures can be considered as a temporary solution
+and apply to the entire solution stack.

-CISA urges organizations operating products marked as "Not Fixed" to immediately
-implement alternate controls, including:
+- **Disable Log4j library.** Disabling software using the
+Log4j library is an effective measure, favoring
+controlled downtime over adversary-caused issues.
+This option could cause operational impacts and limit
+visibility into other issues.
+- **Disable JNDI lookups or disable remote codebases.**
+This option, while effective, may involve
+developer work and could impact functionality.
+- **Disconnect affected stacks.** Solution stacks not
+connected to agency networks pose a dramatically
+lower risk from attack. Consider temporarily
+disconnecting the stack from agency networks.
+- **Isolate the system.** Create a “vulnerable network”
+VLAN and segment the solution stack from the
+rest of the enterprise network.
+- **Deploy a properly configured Web Application
+Firewall (WAF) in front of the solution stack.**
+Deploying a WAF is an important, but incomplete,
+solution. While threat actors will be able to
+bypass this mitigation, the reduction in alerting
+will allow an agency SOC to focus on a smaller
+set of alerts.
+- **Apply micropatch.** There are several micropatches
+available. They are not a part of the official
+update but may limit agency risk.
+- Report incidents promptly to CISA and/or the FBI
+[here](https://www.cisa.gov/uscert/report).

- Install a WAF with rules that automatically update.
- Set `log4j2.formatMsgNoLookups` to true by adding `-Dlog4j2.formatMsgNoLookups=True`
-  to the Java Virtual Machine command for starting your application.
- Ensure that any alerts from a vulnerable device are immediately actioned.
- Report incidents promptly to CISA and/or the FBI [here](https://www.cisa.gov/uscert/report).
+For more information regarding CISA recommended mitigation measures please visit
+[here](https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures).

 ## Software List ##

--- a/SOFTWARE-LIST.md
+++ b/SOFTWARE-LIST.md