1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-10-31 22:28:26 +00:00
A community sourced list of log4j-affected software
Find a file
justmurphy 45688937f1
Merge pull request #348 from mrshorten/develop
Update SOFTWARE-LIST.md
2021-12-22 16:29:19 -05:00
.github Update .github/CODEOWNERS 2021-12-20 15:33:39 -06:00
.gitignore Improve gitignore file comments and organization. 2021-04-12 10:37:49 -04:00
.mdl_config.yaml Add a markdownlint rule for code blocks 2021-08-10 11:38:39 -04:00
.pre-commit-config.yaml Update pre-commit hook versions 2021-12-15 15:30:14 -05:00
.prettierignore Configure prettier to ignore JSON files 2019-06-07 11:20:46 -04:00
.yamllint First commit 2019-03-11 08:52:57 -04:00
CONTRIBUTING.md Update contributing instructions 2021-12-15 15:30:14 -05:00
LICENSE Rename LICENSE.md to LICENSE, make the other changes that requires 2019-06-24 17:17:54 -04:00
README.md Add CA & Alert 12/22 2021-12-22 10:24:50 -05:00
SOFTWARE-LIST.md Add AFHCAN website link 2021-12-22 16:27:41 -05:00

CISA Log4j (CVE-2021-44228) Vulnerability Guidance

This repository provides CISA's guidance and an overview of related software regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and administrators to review the official Apache release and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.

The information in this repository is provided "as is" for informational purposes only and is being assembled and updated by CISA through collaboration with the broader cybersecurity community. Inquire with the manufacturer or their respective online resources for the most up-to-date information regarding any specific product listed. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Official CISA Guidance & Resources

CISA Current Activity Alerts

National Vulnerability Database (NVD) Information: CVE-2021-44228

Mitigation Guidance

CISA urges organizations operating products marked as "Fixed" to immediately implement listed patches/mitigations here.

CISA urges organizations operating products marked as "Not Fixed" to immediately implement alternate controls, including:

  • Install a WAF with rules that automatically update.
  • Set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application.
  • Ensure that any alerts from a vulnerable device are immediately actioned.
  • Report incidents promptly to CISA and/or the FBI here.

Software List

To view the full list of vendors & software click here.