![]() ![]() See Actions for Organizations Running Products with Log4j below for additional guidance. ![]() In addition to the immediate actions detailed in the box above, review CISA's GitHub repository for a list of affected vendor information and apply software updates as soon as they are available.Inform your end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.Immediately identify, mitigate, and update affected products using Log4j to the latest version.Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions. Users of such products and services should refer to the vendors of these products/services for security updates. In order for vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. See CISA's joint Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for more information. (Updated December 28, 2021)Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance. If an asset cannot be patched or mitigated, consider removing it from the network. If a product cannot be updated, you should apply the temporary mitigation measures from the list at Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. Note: while certain mitigation measures, such as removing the vulnerable class, can prevent exploitation, tracking each asset’s mitigation status adds administrative overhead so patching is preferred. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |