Apache Log4j Vulnerability Guidance

Apache Log4j Vulnerability Guidance

Immediate Actions to Protect Against Log4j Exploitation

• Discover all internet facing assets that allow data inputs and use Log4j Java library anywhere in the stack.
• Discover all assets that use the Log4j library.
• Update or isolate affected assets. Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.
• Monitor for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).


Note: CISA will continue to update this webpage as well as our community-sourced GitHub repository as we have further guidance to impart and additional vendor information to provide.

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

  • On December 10, 2021, Apache released Log4j version 2.15.0 in a security update to address the CVE-2021-44228 vulnerability.
  • (Updated December 15, 2021) On December 13, 2021, Apache released Log4j version 2.16.0 in a security update to address the CVE-2021-45046 vulnerability. A remote attacker can exploit this second Log4j vulnerability to cause a denial-of-service (DOS) condition in certain non-default configurations.
    • Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.

In order for these vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement these security updates. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions. 

  • Vendors
    • (Updated December 15, 2021) Immediately identify, mitigate, and update affected products using Log4j to version 2.16.0. Note: as stated above, affected organizations will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.
    • Inform your end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.
  • Affected Organizations

Technical Details

The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."

An adversary can exploit this CVE-2021-44228 by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity. 

Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

  • Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
    • In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
    • For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
    • For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
  • Apply available patches immediately.
    • Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets. 
    • Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above. 
    • As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.
  • Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings. 
  • Consider reporting compromises immediately to CISA and the FBI.


This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

Ongoing List of Impacted Products and Devices

CISA is maintaining a community-sourced GitHub repository that provides a list of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.

Ongoing Sources for Detection Rules 

CISA will update sources for detection rules as we obtain them.

For detection rules, see Florian Roth's GitHub page, log4j RCE Exploitation DetectionNote: due to the urgency to share this information, CISA has not yet validated this content.

For a list of hashes to help determine if a Java application is running a vulnerable version of Log4j, see Rob Fuller's GitHub page, CVE-2021-44228-Log4Shell-HashesNote: due to the urgency to share this information, CISA has not yet validated this content. 

Mitigation Guidance from JCDC Partners 

Additional Resources

    • Related Articles

    • Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

      Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 MSRC / By MSRC Team / December 11, 2021 ​ SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based ...
    • Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

      Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation Microsoft 365 Defender Threat Intelligence Team Microsoft Threat Intelligence Center (MSTIC) Updates: [12/16/2021] New Microsoft Sentinel solution and additional ...
    • Log4j Overview: Related Software

      This page contains an overview of any related software regarding the Log4j vulnerability. On this page NCSC-NL and partners will maintain a list of all known vulnerable and not vulnerable software. Furthermore, references to software will contain ...
    • Log4J Affected Apps/Vendors

      Lists of affected components and affected apps/vendors by CVE-2021-44228 (aka Log4shell or Log4j RCE) for security responders. We believe it is important to classify the vendors and products between: Internal risk - what you need to patch first to ...
    • Log4j Advisories, notices, patches, or updates

      Given the severity of the vulnerability and how easy it is to exploit it, CISA today released guidance for companies to set up defenses against Log4Shell attacks. The agency's recommendation is to "apply available patches immediately" and to ...