Media Statement on Zero-Day Vulnerability in Apache Java Logging Library Log4j

1              There have been recent reports of a zero-day critical vulnerability “Log4Shell” that is found in the Apache Java logging library Log4j 2^[1]. It is an open-source Java package used to support activity-logging in many Java-based applications and the affected package is widely used by developers. Successful exploitation could allow an attacker to gain full control of the affected servers.

2              The Cyber Security Agency of Singapore (CSA) is closely monitoring the situation as this is a critical vulnerability. Thus far, CSA has not received any reports of breaches related to this vulnerability. We have sent out alerts to Critical Information Infrastructure (CII) sector leads and businesses to patch their systems to the latest version immediately. We have also briefed the CII Sector Leads and are working with them to implement mitigation measures immediately.

3              CSA has reached out to our partner agencies overseas, as well as ASEAN Member States’ Computer Emergency Response Teams, to exchange information and gather the latest updates.

4              Cyber criminals and threat actors will exploit this critical vulnerability. As we only have a short window to implement mitigation measures, we urge organisations to take action quickly.  For more information on the measures to take to protect their systems, organisations can refer to SingCERT’s alert at Immediate Actions to Protect Against Exploitation of the Apache Java Logging Library Log4j Vulnerability.

^[1] Log4j is a reliable, fast, flexible and open-source logging library framework written in Java and distributed under Apache Software License, used in many Java applications and services for logging activities and events. A framework provides a standard way for developing software applications.