This repository provides CISA's guidance and an overview of related software regarding the Log4j vulnerability (CVE-2021-44228). CISA encourages users and administrators to review the official Apache release and upgrade to Log4j 2.17.0 or apply the recommended mitigations immediately.
The information in this repository is provided "as is" for informational purposes only and is being assembled and updated by CISA through collaboration with the broader cybersecurity community. Inquire with the manufacturer or their respective online resources for the most up-to-date information regarding any specific product listed. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.
- CISA Apache Log4j Vulnerability Guidance
- ALERT (AA21-356A): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
- Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability
- Statement from CISA Director Easterly on “Log4j” Vulnerability.
- Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
- CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities
- Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation
- CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228
National Vulnerability Database (NVD) Information: CVE-2021-44228
CISA urges organizations operating products marked as "Fixed" to immediately implement listed patches/mitigations here.
CISA urges organizations operating products marked as "Not Fixed" to immediately implement alternate controls, including:
- Install a WAF with rules that automatically update.
- Set
log4j2.formatMsgNoLookups
to true by adding-Dlog4j2.formatMsgNoLookups=True
to the Java Virtual Machine command for starting your application. - Ensure that any alerts from a vulnerable device are immediately actioned.
- Report incidents promptly to CISA and/or the FBI here.
To view the full list of vendors & software click here.