Original release date: December 13, 2021
CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
In response, CISA has created a webpage, Apache Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. CISA will continually update both the webpage and the GitHub repository.
CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately. CISA will continue to update the webpage as additional information becomes available.
This product is provided subject to this Notification and this Privacy & Use policy.
CISA released 10 Industrial Control Systems (ICS) advisories. These advisories provide timely information about current…
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA released one Industrial Control Systems (ICS) advisory on October 14, 2025. These advisories provide…
Today, CISA issued Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices to direct Federal…
CISA released thirteen Industrial Control Systems (ICS) advisories on October 16, 2025. These advisories provide…
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
This website uses cookies.