The Australian Cyber Security Centre (ACSC), along with international cyber security agency partners from the United States, United Kingdom, Canada and New Zealand, have issued a joint advisory with technical details, mitigations, and resources to help address critical vulnerabilities in the Apache Log4j software library.
The joint advisory is in response to the active, worldwide exploitation by malicious cyber actors of vulnerabilities found in the widely used Java-based logging package Log4j.
The advisory from the ACSC, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC) and the United Kingdom's National Cyber Security Centre (NCSC-UK), provides critical guidance for organisations or individuals using products with Log4j, which should be implemented immediately.
Acting head of ACSC, Jessica Hunter, has said malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world. To address this threat we all need to be proactive in our efforts to fix vulnerabilities and be alert to malicious cyber activity.
All international agency partners have been working with entities in the public and private sectors since the first vulnerability was discovered to identify vulnerable products, raise awareness, and encourage all potentially affected organisations to take immediate action.
The joint advisory provides valuable resources to help organisations further strengthen their defences and resiliency against these vulnerabilities, as well as other cyber threats.
Every executive and leader is strongly encouraged to ensure their business, organisation, or government agency is taking appropriate action to address the Log4j vulnerabilities.
ACSC's alert and advisory on the Log4j vulnerability is being continually updated on cyber.gov.au.
This is an evolving situation. Updates will be provided as we learn and assess new information. Read the full joint cybersecurity advisory and full statement here.
