CISA, FBI and NSA issue joint advisory on Log4j with international security agencies – SC Magazine

Posted: December 23, 2021 at 10:42 pm

Major government security agencies around the world have issued a joint advisory on the Apache Log4j vulnerability that offers technical details, mitigations and resources on what top security officials are calling one of the most severe vulnerabilities ever discovered.

The agencies taking the lead in the United States include the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI. Other nations involved include Australia, Canada, New Zealand, and the United Kingdom.

The joint advisory is a response to the active, worldwide exploitationby numerous threat actors including two ransomware groups thus far of vulnerabilities foundinthewidely-used Java-based logging package Log4j. The security world has been on edge since Log4j was first reported publicly last week. The first attack on a government agency was sustained earlier this week by the Ministry of Defense in Belgium when its email servers went down.

Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world, said CISA Director Jen Easterly. We implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks. CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations.

FBI Cyber Division Assistant Director Bryan Vorndran, urged any organization impacted by the Log4j vulnerability to apply all the mitigations recommended by CISA and visit fbi.gov/log4j to report details of any suspected compromises.

CISAhas created a dedicatedLog4j webpageto offer an authoritative, up-to-date resource withmitigation guidance andresources for network defenders, as well as a community-sourcedGitHubrepositoryof affected devices and services.Organizational leaders should also review the blog post by the UK's National Cyber Security Centre: Log4j vulnerability: what should boards be asking?, for information on Log4Shells possible impact on their organization as well as response recommendations.

CISA today also notified the industry in a tweet about #HackDHS, Homeland Securitys expanded bug bounty program to find and patch Log4j-related vulnerabilities in DHS systems. CISA Director Jen Easterly said the hacker community plays a strong role in keeping the government safe, and looks forward to working more closely.

See original here:
CISA, FBI and NSA issue joint advisory on Log4j with international security agencies - SC Magazine

Related Posts