ArchiveOODA Original

CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners

Relative to other cyber incidents in the last few months, Log4j is proving severely problematic.  If you are in the middle of your impact and mitigation assessment, hands down the most important resource available is the webpage CISA launched yesterday to address the current activity: Apache Log4j Vulnerability Guidance | CISA.

OODA CEO Matt Devost wants the OODA Loop membership to know that “this is a great page and we should highlight that it exists for OODA Loop members.  CISA has done a great job here.”  Log4j is also the first US-CERT notification to put front and center private sector collaboration through the newly formed DHS CISA Joint Cyber Defense Collaborative (JCDC):

“CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”

The timing of the Log4j incident is proving a test of the public/private collaboration efforts which are now at the center of CISA Culture.  It also dovetails with a recent call to action from CISA’s Jen Easterly and Def Con’s Jeff Moss at the Inaugural CISA Cybersecurity Advisory Committee meeting.

Good luck to everyone who is dealing with impacts from Log4j.  We are interested in any member feedback – post-incident of course – on how this experience was unique (scale of the breach, CISA’s role, the effectiveness of the CISA JCDC approach during the crisis, etc.).

In the meantime, here are the resources CISA and the JCDC have provided to get your organization on the other side of the Apache Log4j Vulnerability CVE-2021-44228:

CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 | CISA

Apache Log4j Vulnerability Guidance | CISA

Also, this just came in from The Record:  CISA tells federal agencies to patch Log4Shell before Christmas – with this interesting update (amongst other USG specific updates):

“Security researcher Royce Williams has already compiled a list of what is and what is not vulnerable to Log4Shell, a list available here and containing information on more than 300 vendors. Another one is the list managed by the Dutch National Cyber Security Center.”

Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

  • Review Apache’s Log4j Security Vulnerabilities page for additional information.
  • Apply available patches immediately. See CISA’s upcoming GitHub repository for known affected products and patch information.
    • Prioritize patching, starting with mission-critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
    • Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
    • As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.
  • Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
  • Consider reporting compromises immediately to CISA and the FBI.

Ongoing List of Impacted Products and Devices

CISA will maintain a community-sourced GitHub repository that provides a list of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.

Ongoing Sources for Detection Rules

CISA will update sources for detection rules as we obtain them.

For detection rules, see Florian Roth’s GitHub page, log4j RCE Exploitation DetectionNote: due to the urgency to share this information, CISA has not yet validated this content.

For a list of hashes to help determine if a Java application is running a vulnerable version of Log4j, see Rob Fuller’s GitHub page, CVE-2021-44228-Log4Shell-HashesNote: due to the urgency to share this information, CISA has not yet validated this content.

Mitigation Guidance from JCDC Partners

General Cybersecurity Resources

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.