1
0
Fork 0
mirror of https://github.com/cisagov/log4j-affected-db.git synced 2024-11-21 16:20:46 +00:00
A community sourced list of log4j-affected software
Find a file
Nicholas McDonnell bc0e017b62
Update software list generation
Consolidate all update tasks into a single bash script that is run by
the GitHub Actions workflow. This also switches to generating
individual Markdown files for each data/cisagov_*.yml file.
2022-02-28 11:19:43 -05:00
.github Update software list generation 2022-02-28 11:19:43 -05:00
config Update software list generation 2022-02-28 11:19:43 -05:00
data Update the software list 2022-02-16 19:32:07 +00:00
software_lists Update rel. paths 2022-02-17 08:32:13 -05:00
.gitignore Improve gitignore file comments and organization. 2021-04-12 10:37:49 -04:00
.mdl_config.yaml Add a markdownlint rule for code blocks 2021-08-10 11:38:39 -04:00
.pre-commit-config.yaml Merge github.com:cisagov/skeleton-generic into maintenance/update_from_skeleton-generic 2022-01-11 14:50:24 -05:00
.prettierignore Configure prettier to ignore JSON files 2019-06-07 11:20:46 -04:00
.yamllint Update the yamllint rules 2022-01-12 12:59:02 -05:00
CONTRIBUTING.md Update CONTRIBUTING.md 2022-01-11 10:15:59 -05:00
LICENSE Rename LICENSE.md to LICENSE, make the other changes that requires 2019-06-24 17:17:54 -04:00
PULL-EXAMPLE.md Update PULL-EXAMPLE.md 2022-01-11 12:17:44 -07:00
README.md Update software lists pointer for README 2022-02-17 08:24:02 -05:00
SOFTWARE-LIST.md Update the software list 2022-02-16 19:32:07 +00:00

CISA Log4j (CVE-2021-44228) Vulnerability Guidance

This repository provides CISA's guidance and an overview of related software regarding the Log4j vulnerability (CVE-2021-44228). CISA urges users and administrators to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.

The information in this repository is provided "as is" for informational purposes only and is being assembled and updated by CISA through collaboration with the broader cybersecurity community. Inquire with the manufacturer or their respective online resources for the most up-to-date information regarding any specific product listed. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Official CISA Guidance & Resources

CISA Current Activity Alerts

National Vulnerability Database (NVD) Information: CVE-2021-44228

CISA Mitigation Guidance

When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and apply to the entire solution stack.

  • Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues.
  • Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality.
  • Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks.
  • Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network.
  • Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts.
  • Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk.
  • Report incidents promptly to CISA and/or the FBI here.

For more information regarding CISA recommended mitigation measures please visit here.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

Creating a pull request

Instructions for creating a pull request using the GitHub Web UI can be found in PULL-EXAMPLE.md.

Software List

To view the full list of vendors & software click here.