On this page:
About the Log4J Vulnerability
Guidance from the Office of the Chief Information Security Officer
Latest News and Bulletins
On Friday, December 10, 2021, Apache Software Foundation publicly announced a critical vulnerability in the open-source Java logging library, known as Log4j. This vulnerability, tracked as CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability with a base severity score of 10-Critical. By exploiting this vulnerability, an unauthenticated remote threat actor could take control of an affected system.
This critical vulnerability in Log4j has been widely publicized and is being actively exploited by threat actors. All organizations are highly encouraged to evaluate their applications and services for the Log4j vulnerability and take immediate action to mitigate the vulnerability and update the affected library as quickly as possible.
Unlike traditional software vulnerabilities which are addressed with a security patch, the Log4j library is referenced in countless applications, both commercially and internally developed, making evaluation and rectification of this vulnerability both critical and complex.
Guidance from the Office of the Chief Information Security Officer (OCISO)
The Texas OCISO encourages all organizations to evaluate their applications, services, and vendor provided resources for this vulnerability.
Vulnerable versions of this logging library are Log4j, versions 2.0-beta9 through 2.14.1. An additional vulnerability was identified in version 2.15.0, 2.16.0, and 2.17.0, as such, the current recommended version for upgrade is Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) or 2.3.2 (Java 6), which mitigates the remote code execution and other vulnerabilities.
The latest guidance and updates will be published as more information becomes available.
Texas DIR Office of the Chief Information Security Officer (OCISO) recommends all organizations evaluate their applications and services for the Log4j vulnerability and take immediate action.