The Five Eyes intelligence allies – government agencies in the United States, United Kingdom, Australia, Canada, and New Zealand – issued a joint Cybersecurity advisory (CSA) days before the Christmas holiday, offering guidance for the Apache Log4j vulnerability worldwide.  Nation-states and ransomware gangs are already starting to exploit the vulnerabilities, including Log4Shell (part of the Log4j software library).

The international intelligence agencies issuing the advisory includes CISA, along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

CISA Director Jen Easterly pointed to the severity of the vulnerability and the global nature of the threat in a press release issued by CISA on Wednesday, December 22nd:

“Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks.  CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations. These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.”

NSA Cybersecurity Director Rob Joyce also stressed in the joint U.S. intelligence agency press release, released at the same time as the Five Eyes CSA,  that “partnering to clearly define the problem, and how to mitigate, is critical to cut through the noise and arm responders with the proper information to act.  Given the severity of the Log4j vulnerabilities and the likelihood of increased exploitation, we strongly urge organizations to apply the mitigations recommended in our joint cybersecurity advisory.”

The advisory is the latest in a series of advisory announcements by CISA, including:

CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners

CISA orders federal civilian agencies to patch Log4j vulnerability and 12 others by December 24

The Five Eyes joint CSA “expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities.

These steps include:

• Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,
• Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
• Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.

This CSA also provides guidance for affected organizations with operational technology (OT)/industrial control systems (ICS) assets.”

Log4j is a Java-based logging library used in a variety of consumer and enterprise services, websites, applications, and OT products. These vulnerabilities, especially Log4Shell, are severe—Apache has rated Log4Shell and CVE-2021-45046 as critical and CVE-2021-45105 as high on the Common Vulnerability Scoring System (CVSS). These vulnerabilities are likely to be exploited over an extended period. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK strongly urge all organizations to apply the recommendations in the Mitigations section.

CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK encourage leaders of organizations to review NCSC-UK’s blog post, Log4j vulnerability: what should boards be asking?, for information on Log4Shell’s possible impact on their organization as well as response recommendations.

Note: this is an evolving situation, and new vulnerabilities are being discovered. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK will update this CSA as we learn more about this exploitation and have further guidance to impart.

Click here for a PDF version of this report.

Direct link to the Five Eyes CSA:  Mitigating Log4Shell and Other Log4j-Related Vulnerabilities | CISA

Further Resources

In response to the recently discovered log4j vulnerabilities, @DHSgov is expanding the scope of our new #HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems.

— Secretary Alejandro Mayorkas (@SecMayorkas) December 21, 2021

DHS has also expanded their recently launched #HackDHS bug bounty program to include Log4j related reports.

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking