An official website of the United States government Here's how you know

Immediate Actions to Protect Against Log4j Exploitation • Discover all internet-facing assets that allow data inputs and use Log4j Java library anywhere in the stack. • Discover all assets that use the Log4j library. • Update or isolate affected assets. Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity. • Monitor for odd traffic patterns (e.g., JNDI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).

Note: CISA will continue to update this webpage as well as our community-sourced GitHub repository as we have further guidance to impart and additional vendor information to provide.

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

(Updated April 8, 2022) Organizations should continue identifying and remediating vulnerable Log4j instances within their environments and plan for long term vulnerability management. Consider the following in planning: 

(Updated December 28, 2021) Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance. 

See CISA's joint Alert AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for more information. 

In order for vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions. 

The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."

An adversary can exploit CVE-2021-44228 by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity. 

This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

CISA is maintaining a community-sourced GitHub repository that provides a list of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.

CISA will update sources for detection rules as we obtain them.

For detection rules, see Florian Roth's GitHub page, log4j RCE Exploitation Detection. Note: due to the urgency to share this information, CISA has not yet validated this content.

For a list of hashes to help determine if a Java application is running a vulnerable version of Log4j, see Rob Fuller's GitHub page, CVE-2021-44228-Log4Shell-Hashes. Note: due to the urgency to share this information, CISA has not yet validated this content. 

Receive security alerts, tips, and other updates.

CISA is part of the Department of Homeland Security