National Security Agency/Central Security Service – December 22 – WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for cybersecurity (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint cybersecurity advisory with technical details, mitigations, and resources to address known vulnerabilities in the Apache Log4j software library. This advisory provides critical guidance that any organisation using products with Log4j should immediately implement.

The joint advisory is in response to the active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors, of vulnerabilities found in the widely used Java-based logging package Log4j. CISA, FBI, NSA, and our international agency partners have been working with entities in the public and private sectors since the first vulnerability was discovered to identify vulnerable products, raise awareness, and encourage all potentially affected organisations to take immediate action.

“Log4j vulnerabilities present a severe and ongoing threat to organisations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” said CISA Director Jen Easterly.

“CISA is working shoulder-to-shoulder with our inter-agency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organisations to promptly implement appropriate mitigations. These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.”

“The FBI continues to work alongside our federal and international partners to mitigate malicious cyber activity and arm the public and private sector with information to better shield their systems,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We continue to urge anyone who is impacted by the Log4j vulnerability to apply all recommended mitigations from CISA and visit fbi.gov/log4j to report details of your suspected compromise.”

“Partnering to clearly define the problem, and how to mitigate, is critical to cut through the noise and arm responders with the proper information to act,” said NSA Cybersecurity Director Rob Joyce. “Given the severity of the Log4j vulnerabilities and the likelihood of increased exploitation, we strongly urge organisations to apply the mitigations recommended in our joint cybersecurity advisory.”

“Malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world.

To address this threat we all need to be proactive in our efforts to patch, partner and monitor,” said Acting Head of the Australian Cyber Security Centre Ms. Jessica Hunter. “This joint advisory highlights the value of such an approach. The ACSC alongside our partners at CISA, the FBI, the NSA, CCCS, CERT-NZ, NZ NCSC and the NCSC-UK remain committed to advancing cybersecurity.”

“The Log4-related vulnerabilities are a serious risk for organisations around the world,” said Sami Khoury, Head, Canadian Centre for cybersecurity.

“By joining alongside our partners in releasing today’s joint advisory, the Communications Security Establishment and its Canadian Centre for cybersecurity are pleased to continue making threat information more publicly available, while providing specific advice and guidance to protect against these kinds of risks.”

“It is vital that organisations patch software as a matter of urgency and continue to follow the advice published,” said NCSC Director for Operations, Paul Chichester. “This is a significant vulnerability and we will work closely with our international partners to minimise risk and mitigate any impact.”

“We cannot stress enough how important it is for everyone to patch this vulnerability as soon as possible,” said CERT NZ Director Rob Pope. “We know that malicious actors are constantly scanning for a way into systems worldwide, using the Log4j vulnerability. It is only through collective actions that we can effectively address these types of attacks, which is why we’re proud to be part of an international effort to keep organisations safe and secure.”

CISA created a dedicated Log4J webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. Organisational leaders should also review NCSC’s blog post, “Log4j vulnerability: what should boards be asking?,” for information on Log4Shell’s possible impact on their organisation as well as response recommendations.

Every executive and leader is strongly encouraged to ensure their business, organisation, or government agency is taking appropriate action to mitigate these Log4j vulnerabilities.

This joint advisory also provides valuable resources to help organisations further strengthen their defences and resiliency for these vulnerabilities as well as other cyber threats.

This is an evolving situation, and new vulnerabilities are being discovered. Therefore, this advisory will be updated as we learn and assess new information. Read the full joint cybersecurity advisory.