ABOUT NPCC Governance & Corporate Leadership Team Membership Careers Resources Contact Us PROGRAM AREAS Standards & Criteria Compliance RAPA SAIS COMMITTEES DER Forum Gov/Reg Affairs Reliability Coordinating Regional Standards NEWS Search SIGN IN

Posted: 01/10/2022

NPCC Security Bulletin: Apache Log4j Vulnerability Guidance

TLP: WHITE

January 11, 2022

Apache Log4j Vulnerability Guidance

 

The Cybersecurity & Infrastructure Security Agency (CISA) and its partners issued guidance and multiple resources to mitigate the CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in Apache’s Log4j software library vulnerability. Log4j is broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. The vulnerability allows an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP/RMI servers when message lookup substitution is enabled. The following mitigations are recommended:

 


  DOWNLOAD ATTACHMENT 1
  Previous

Next  

  CATEGORIES


Compliance Bulletin Decisions & Notices ERO Enterprise Media Release NERC NPCC Regional Entities & Others Reliability Assessment Security Bulletin

  NEWS ARCHIVES


  Upcoming Events


  News Highlights


NPCC 2022 Summer Reliability Assessment Media Release

May 04, 2022

NPCC Summer 2022 Reliability Assessment Overview

May 04, 2022

Security Notice

This is a Northeast Power Coordinating Council, Inc. (NPCC) information system. You have no reasonable expectation of privacy regarding communications or data transiting or stored on NPCC’s information system. At any time and for any lawful purpose, NPCC may monitor, intercept, record, and search any communications or data transiting or stored on this information system. At NPCC’s sole discretion, NPCC may disclose pertinent information to the U.S. Government and its authorized representatives to protect the security of critical infrastructure and key resources, ensure information security, or to comply with any applicable law, regulation, legal process, or enforceable governmental request. By continuing, you acknowledge that you understand and consent to the terms and conditions described in this notice. The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited and may subject violators to criminal, civil, and/or administrative action.