Log4J Vulnerability

On this page:

About the Log4J Vulnerability

Guidance from the Office of the Chief Information Security Officer

Resources

Latest News and Bulletins

Background

On Friday, December 10, 2021, Apache Software Foundation publicly announced a critical vulnerability in the open-source Java logging library, known as Log4j. This vulnerability, tracked as CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability with a base severity score of 10-Critical. By exploiting this vulnerability, an unauthenticated remote threat actor could take control of an affected system.

This critical vulnerability in Log4j has been widely publicized and is being actively exploited by threat actors. All organizations are highly encouraged to evaluate their applications and services for the Log4j vulnerability and take immediate action to mitigate the vulnerability and update the affected library as quickly as possible.

Unlike traditional software vulnerabilities which are addressed with a security patch, the Log4j library is referenced in countless applications, both commercially and internally developed, making evaluation and rectification of this vulnerability both critical and complex.

Guidance from the Office of the Chief Information Security Officer (OCISO)

The Texas OCISO encourages all organizations to evaluate their applications, services, and vendor provided resources for this vulnerability.

Vulnerable versions of this logging library are Log4j, versions 2.0-beta9 through 2.14.1. An additional vulnerability was identified in version 2.15.0, 2.16.0, and 2.17.0, as such, the current recommended version for upgrade is Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) or 2.3.2 (Java 6), which mitigates the remote code execution and other vulnerabilities.

DIR Updates

The latest guidance and updates will be published as more information becomes available.

.pdf (136.08 KB)
Last Updated: 01-07-2022

Texas DIR Office of the Chief Information Security Officer (OCISO) recommends all organizations evaluate their applications and services for the Log4j vulnerability and take immediate action.

Contact DIR

To report a security incident please call DIR Cybersecurity Incident Response and Assistance Hotline 1-877-DIR-CISO (1-877-347-2476).

For routine questions please email:

OCISO:  DIRSecurity@dir.Texas.gov

DIR Cyber Operations (NSOC):  Security-Alerts@dir.Texas.gov

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.