Major government security agencies around the world have issued a joint advisory on the Apache Log4j vulnerability that offers technical details, mitigations and resources on what top security officials are calling one of the most severe vulnerabilities ever discovered.
The agencies taking the lead in the United States include the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI. Other nations involved include Australia, Canada, New Zealand, and the United Kingdom.
The joint advisory is a response to the active, worldwide exploitation by numerous threat actors — including two ransomware groups thus far — of vulnerabilities found in the widely-used Java-based logging package Log4j. The security world has been on edge since Log4j was first reported publicly last week. The first attack on a government agency was sustained earlier this week by the Ministry of Defense in Belgium when its email servers went down.
“Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world,” said CISA Director Jen Easterly. “We implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks. CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations.”
FBI Cyber Division Assistant Director Bryan Vorndran, urged any organization impacted by the Log4j vulnerability to apply all the mitigations recommended by CISA and visit fbi.gov/log4j to report details of any suspected compromises.
CISA has created a dedicated Log4j webpage to offer an authoritative, up-to-date resource with mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. Organizational leaders should also review the blog post by the UK's National Cyber Security Centre: “Log4j vulnerability: what should boards be asking?,” for information on Log4Shell’s possible impact on their organization as well as response recommendations.
CISA today also notified the industry in a tweet about #HackDHS, Homeland Security’s expanded bug bounty program to find and patch Log4j-related vulnerabilities in DHS systems. CISA Director Jen Easterly said the hacker community plays a strong role in keeping the government safe, and looks forward to working more closely.