Apache Log4j Vulnerability Guidance

Summary

Note: CISA will continue to update this webpage as well as our community-sourced GitHub repository as we have further guidance to impart and additional vendor information to provide.

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

(Updated April 8, 2022) Organizations should continue identifying and remediating vulnerable Log4j instances within their environments and plan for long term vulnerability management. Consider the following in planning: 

• Scope of covered assets: Due to the limited availability of initial information, identification and mitigation efforts may have been scoped to a limited number of an organization’s assets. For long term mitigation, ensure the prevalence of log4j in all assets is considered and accounted for, including internally developed software and non-internet facing technology stacks. 
• Continuous enumeration and analysis: Organizations need to perform comprehensive analysis to fully enumerate all Log4J vulnerabilities. This should include scanning (network and host) and comparing installed software with software listed in CISA’s Log4j vulnerable software database.  
  • High fidelity scanning. Consider using file system scanning scripts to identify vulnerable Log4j files or use vulnerability scanners that leverage file scanning.  
  • Newly vulnerable 3rd party software. Organizations may lack insight into certain applications, such as Software as a Service (SaaS) solutions and other cloud resources. Organizations should continue to review the CISA log4j vulnerable software database and cross reference against used software. 
• Patching over mitigation: If an update is available, it should be applied immediately. If a product cannot be updated, you should apply the temporary mitigation measures from the list at Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. Note: while certain mitigation measures, such as removing the vulnerable class, can prevent exploitation, tracking each asset’s mitigation status adds administrative overhead so patching is preferred. If an asset cannot be patched or mitigated, consider removing it from the network. 

(Updated December 28, 2021) Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance. 

See CISA's joint Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for more information. 

In order for vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions. 

• Vendors
  • Immediately identify, mitigate, and update affected products using Log4j to the latest version.
    
     
  • Inform your end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.
    
     
• Affected Organizations
  • In addition to the immediate actions detailed in the box above, review CISA's GitHub repository for a list of affected vendor information and apply software updates as soon as they are available. See Actions for Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
    
     
  • On December 17, 2021, CISA issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability directing federal civilian executive branch agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228. The Emergency Directive requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately, thereby superseding the broader deadline in BOD 22-01 for internet-facing technologies.

Technical Details

The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."

• Note: the Apache Log4j version 2.16.0 security update that addresses the CVE-2021-45046 vulnerability disables JNDI.

An adversary can exploit CVE-2021-44228 by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity. 

Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

• Determine whether your organization's products with Log4j are vulnerable by following the chart below, using both verification methods:
  • [1] CISA's GitHub repository and
  • [2] CERT/CC's CVE-2021-44228_scanner.

• Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround.
• Apply available patches immediately.
  • Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets. 
  • As stated above, Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability requires agencies to patch vulnerable internet-facing assets immediately.
• Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings. 
• Consider reporting compromises immediately to CISA and the FBI.

Resources

This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

Ongoing List of Impacted Products and Devices

CISA is maintaining a community-sourced GitHub repository that provides a list of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.

Ongoing Sources for Detection Rules 

CISA will update sources for detection rules as we obtain them.

For detection rules, see Florian Roth's GitHub page, log4j RCE Exploitation Detection. Note: due to the urgency to share this information, CISA has not yet validated this content.

For a list of hashes to help determine if a Java application is running a vulnerable version of Log4j, see Rob Fuller's GitHub page, CVE-2021-44228-Log4Shell-Hashes. Note: due to the urgency to share this information, CISA has not yet validated this content. 

Mitigation Guidance from JCDC Partners 

• Broadcom's Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content
• Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
• CISA's Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
• Cloudflare Blog: CVE-2021-44228 - Log4j RCE 0-day mitigation
• Cloudflare Blog: Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
• Cloudfare Blog: Actual CVE-2021-44228 payloads captured in the wild
• CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations
• FireEye GitHub: CVE-2021-44228
• Google Cloud blog: Google Cloud recommendations for investigating and responding to the Apache “Log4j 2” vulnerability
• IBM Security Intelligence blog: How Log4j Vulnerability Could Impact You
• Investigating CVE-2021-44228 Log4Shell Vulnerability: VMWare Threat Research
• Mandiant blog: Log4Shell Initial Exploitation and Mitigation Recommendations
• Microsoft blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation
• Microsoft Threat Intelligence Center: Log4j IOC List
• Palo Alto Networks blog: Apache log4j Threat Update
• Splunk blog: Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued
• Splunk blog: Log4Shell - Detecting Log4j 2 RCE Using Splunk
• Splunk: Log4Shell CVE-2021-44228
• Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
• Tenable blog: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities
• VMware Blog: Log4j Vulnerability Security Advisory: What You Need to Know

Additional Resources

• Joint Cybersecurity Advisory – Technical Approaches to Uncovering and Remediating Malicious Activity provides general incident response guidance.
• NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies offers more information on the basics of enterprise patch management technologies.
• CISA’s Cyber Essentials serve as a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
• CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats.
• CERT/CC: Apache Log4j allows insecure JNDI lookups
• New Zealand Computer Emergency Response Team’s Advisory: Log4j RCE 0-Day Actively Exploited
• Canadian Centre for Cyber Security Alert: Active Exploitation of Apache Log4j Vulnerability
• United Kingdom National Cyber Security Centre Alert: Apache Log4j vulnerability (CVE-2021-44228)
• Australian Cyber Security Centre Alert: Critical remote code execution vulnerability found in Apache Log4j2 library
• Australian Cyber Security Centre Advisory: 2021-007: Apache Log4j2 vulnerability – advice and mitigations
• F5 Security Update: Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228
• Qualys blog: CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell)
• Royce Williams’s Tech Solvency blog: Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) - cheat-sheet reference guide
• Center for Internet Security: Log4j Zero-Day Vulnerability Response
• Secureworks: Log4j: What We've Learned So Far
• Malware News: Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation
• Check Point Research: APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit 
• Hack eXPlorer: Log4j - TryHackMe Full Walkthrough & More!!
• TryHackMe Walkthrough: Solar, exploiting log4j
• TrustedSec blog: Lof4j Detection and Response Playbook
• RiskIQ Intelligence Brief: CVE-2021-44228 - Apache Log4j Remote Code Execution Vulnerability
• NCC Group blog: Log4Shell: Reconnaissance and post exploitation network detection
• NCC Group Fox-it GitHub: Log4Shell PCAPS and Network Coverage
• GitHub: Log4Shell-Rex
• Curated Intelligence Trust Group GitHub: Log4Shell IOCs
• VirusTotal Collection: Log4j used by malware families
• Apache: JNDI Lookup plugin support
• LunaSec blog: Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228 & CVE-2021-45046)
• LunaSec blog: Log4Shell Update: Severity Upgraded 3.7 to 9.0 for Second log4j Vulnerability (CVE-2021-45046)
• NIST: CVE-2021-44228
• NIST: CVE-2021-45046
• NIST: CVE-2021-4104
• NIST: CVE-2021-45105