Five Eyes issue joint advisory for defending against Log4Shell
Government agencies in the United States, United Kingdom, Australia, Canada, and New Zealand—which make up the “Five Eyes” intelligence alliance—issued a joint Cybersecurity Advisory Wednesday offering guidance for those affected by serious vulnerabilities, including Log4Shell, in the widely used Apache Log4j software library.
The problems can allow attackers to remotely execute code on vulnerable systems—which researchers say nation-state and ransomware gangs are already exploiting.
In a press release accompanying the advisory, U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly described the Log4j vulnerabilities as “the most severe” she’s seen in her career and emphasized the global nature of the risk.
“CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations,” she said.
The new guidance expands on advice previously released by CISA and its Joint Cyber Defense Collaborative (JCDC), with a focus on securing traditional IT and cloud vendor-based networks as well as operational and industrial control systems.
The advisory covers:
Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,
Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.
Last week, CISA issued an “emergency directive” ordering federal agencies to address Log4j vulnerabilities and on Tuesday the Department of Homeland Security announced it was expanding its bug bounty program to include reports of related issues.
Andrea Peterson
(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.