Alert status CRITICAL Update This is an update to Alert the ACSC issued on 10 December 2021. A critical vulnerability (CVE-2021-44228) exists in certain versions of the Log4j library. A malicious cyber actor could exploit this vulnerability to execute arbitrary code and compromise systems and networks. Australian organisations should apply latest patches immediately where Log4j is known to be used. If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available. If you are an individual it is recommended that you update your device software as soon as possible. As of 14 December 2021, the ACSC is aware of targeting and compromise of organisations using this vulnerability globally and in Australia. Malicious cyber actors have used this vulnerability to target and compromise systems globally and in Australia. As of 15 December 2021, the ACSC has published an advisory regarding mitigation and detection recommendations. This advisory is frequently updated with latest in-depth guidance for organisation based on ACSC knowledge of this evolving situation. Background /What has happened? A critical vulnerability (CVE-2021-44228), leading to remote code extension, has been identified in the Log4j library. The ACSC is aware of scanning attempts to locate vulnerable servers. The Common Vulnerability Scoring System (CVSS) rates this vulnerability as a critical 10/10 severity. As of 14 December 2021, the ACSC is aware of targeting and compromise of organisations using this vulnerability globally and in Australia. What is Log4j? Log4j is a widely used open-source logging library for Java applications. It is a key building block which is reused to provide logging functionality to help system developers troubleshoot in a large number of applications globally. Why is it important? Log4j is used by millions of websites and apps. The software’s vulnerability potentially allows cybercriminals to take control of systems by typing a simple line of code, making them vulnerable to exploitation. Many forms of enterprise and open-source software, including cloud platforms, popular apps and websites and email services, use Log4j. Thousands of devices around the world connected to the internet could be at risk. A detailed outline of the vulnerability has been published via a security blog post and additional technical specifications have been published by Red Hat. What to do? Australian organisations should identify vulnerable applications and services running in their environment using techniques described or via lists of vulnerable products. The ACSC further recommends that organisations check the logs of these systems for evidence of exploitation attempts using these techniques. System administrators should check potentially vulnerable servers for outbound traffic to hosts outside the local network which may indicate communication with command and control nodes or traffic to internal hosts indicating attempts of lateral movement. If present, any activity detected using this method warrants further investigation. If you are an individual concerned about the Log4j vulnerability it is recommended that you update your device software as soon as possible. Mitigation / How do I stay secure? The ACSC strongly recommends the implementation of the ASD Essential Eight mitigations to mitigate threats to internet facing systems. Specifically for this vulnerability, maintaining a regular patch process and validating the application of patches reduces the risk of exploitation and is an essential part of a mature cyber program. Australian organisations using systems which feature Log4j as a component, the ACSC recommends seeking vendor guidance on patching the system. If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available. Australian organisations who utilise Log4j versions prior to 2.15.0 should update to the latest available version. However, where a patch cannot be applied immediately Australian organisations should make use of the mitigation suggestions available. Australian organisations are additionally recommended to pursue the following actions to limit the chance of exploitation or extent of compromise: Implement network segmentation and segregation of affected hosts; Specifically for this vulnerability, configure network access rules to prevent vulnerable hosts from initiating requests to all JNDI related naming services; If practical, disable outbound connections from the vulnerable hosts to the internet; Isolate hosts running vulnerable applications to prevent lateral movement; Configure a Web Application Firewall (WAF) to drop identified malicious user controlled log2j entries; Develop a patch prioritisation strategy that focuses on internet facing systems. Assistance / Where can I go for help? The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.