CSA Raises Alert in Light of the Apache Java Logging Library Log4j Vulnerability

      Following recent reports of the zero-day critical vulnerability “Log4Shell” found in the Apache Java logging library Log4j, the Cyber Security Agency of Singapore (CSA) has raised the alert and is working with Critical Information Infrastructure (CII) sectors and organisations to patch their systems, and take remediation and mitigation measures immediately.

2      Log4j is an open-source Java package used to support activity-logging in many Java-based applications. As it is widely used by developers, this vulnerability can have very serious consequences. Successful exploitation of this vulnerability will allow an attacker to gain full control of the affected servers. The situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems.

3      CSA is monitoring the situation closely. There have been two emergency meetings by CSA with all the CII sector leads to issue directions and technical details, and to heighten monitoring for unusual activities. Aside from earlier advisories, CSA has also organised a briefing session this morning to trade associations and chambers to underscore the seriousness of the vulnerability and urgency of implementing mitigation measures for all businesses and SMEs.

4      CSA urges users and product developers to implement the mitigation measures listed below immediately:

i) Users of products with Log4j should:

  • Patch to the latest updates immediately, especially for users of Apache Log4j with affected versions between 2.0 and 2.14.1. They are advised to upgrade to the latest version 2.16.0 immediately.

  • Determine if Log4j is used in other instances within their system.

  • Heighten monitoring for anomalous activity; deploy Protective Network Monitoring and Review System Logs.

ii) Product developers that use Log4j in their products should:

  • Identify, mitigate and develop patches for affected products that utilise Log4j.

  • Inform end-users of your products that contain this vulnerability and strongly urge them to prioritise software updates.

5      Organisations can refer to SingCERT’s advisory at Immediate Actions to Protect Against Exploitation of the Apache Java Logging Library Log4j Vulnerability for more information.

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes.

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.