Information Security
Information Security

Log4J Vulnerability

On this page:

About the Log4J Vulnerability

Guidance from the Office of the Chief Information Security Officer

Resources

Latest News and Bulletins

Background

On Friday, December 10, 2021, Apache Software Foundation publicly announced a critical vulnerability in the open-source Java logging library, known as Log4j. This vulnerability, tracked as CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability with a base severity score of 10-Critical. By exploiting this vulnerability, an unauthenticated remote threat actor could take control of an affected system.

This critical vulnerability in Log4j has been widely publicized and is being actively exploited by threat actors. All organizations are highly encouraged to evaluate their applications and services for the Log4j vulnerability and take immediate action to mitigate the vulnerability and update the affected library as quickly as possible.

Unlike traditional software vulnerabilities which are addressed with a security patch, the Log4j library is referenced in countless applications, both commercially and internally developed, making evaluation and rectification of this vulnerability both critical and complex.

Guidance from the Office of the Chief Information Security Officer (OCISO)

The Texas OCISO encourages all organizations to evaluate their applications, services, and vendor provided resources for this vulnerability.

Vulnerable versions of this logging library are Log4j, versions 2.0-beta9 through 2.14.1. An additional vulnerability was identified in version 2.15.0, 2.16.0, and 2.17.0, as such, the current recommended version for upgrade is Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) or 2.3.2 (Java 6), which mitigates the remote code execution and other vulnerabilities.

Resources

Guidance from the Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) has published an Apache Log4J Vulnerability Guidance webpage and is an authoritative source for security information for vendors and affected organizations.

 

Apache log4J s=Security Site

This page lists all the security vulnerabilities fixed in released versions of Apache Log4j.

Center for Internet Security (CIS), MS-ISAC, Log4j Zero-Day Vulnerability Respo…

Log4j vulnerability response resources and guidance from the Multi-State Information Sharing and Analysis Organization (MS-ISAC) and the Center for Internet Security (CIS).

DIR Updates

The latest guidance and updates will be published as more information becomes available.

.pdf (136.08 KB)
DIR Guidance on Log4j Vulnerability
Last Updated: 01-07-2022

Texas DIR Office of the Chief Information Security Officer (OCISO) recommends all organizations evaluate their applications and services for the Log4j vulnerability and take immediate action.

Contact DIR

To report a security incident please call DIR Cybersecurity Incident Response and Assistance Hotline 1-877-DIR-CISO (1-877-347-2476).

For routine questions please email:

OCISO:  [email protected]

DIR Cyber Operations (NSOC):  [email protected]

Information Security
Related Content
Texas Information Sharing and Analysis Organization (TX-ISAO)
Texas Network Security Operations Center (NSOC)
Texas Volunteer Incident Response Team (VIRT)
How to Set Up a Successful Cybersecurity Program

Related News

More News
Cybersecurity Practices for Remote Work
Recognizing Phishing Scams

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.