CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library.

Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

This advisory expands on CISA’s previously published guidance, drafted in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), by detailing recommended steps that vendors and organizations with information technology, operational technology/industrial control systems, and cloud assets should take to respond to these vulnerabilities. 

In light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential cyberattacks. CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.

CISA encourages leadership at all organizations—and critical infrastructure owners and operators in particular—to review the CISA Insights and adopt a heighted state of awareness.