On December 10, 2021, the Apache Software Foundation released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote adversary could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
The Cybersecurity and Infrastructure Security Agency (CISA) is working closely with its public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.
End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.
To help those efforts, CISA added a page to its CISA.gov website today, listing the mitigation actions critical infrastructure partners and stakeholders should take immediately to address the Apache Log4j vulnerability.
Working closely with our interagency and critical infrastructure partners, CISA is focused on sharing timely cyber threat information with the intent to disrupt malicious cyber activity and help our critical infrastructure partners protect their networks.
Additional information: https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/
Google Cloud Recommendations: https://cloud.google.com/blog/products/identity-security/recommendations-for-apache-log4j2-vulnerability