The European Commission, the EU Agency for Cybersecurity, CERT-EU and the network of the EU national computer security incident response teams (CSIRTs network) have been closely following the development of the Log4Shell vulnerability since 10 December 2021.
Log4Shell is a vulnerability in the well-known open source Java logging package Log4j, which is maintained by the Apache Software Foundation. Log4j is used in a wide array of applications and web services across the globe. Due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments, it is important that all organisations, especially entities who fall under the Network and Information Security (NIS) Directive, assess their potential exposure as soon as possible.
The CSIRTs Network members are continuously updating a list of vulnerable software, which is maintained by the Dutch National Cyber Security Centre. It is important that adequate mitigation measures are applied in a timely manner and that organisations follow the guidance of their national cybersecurity authorities. The latest advisories published by the CSIRTs Network Members can be found in their relevant official communication channels. Organisations may also refer to guidance given by CERT-EU.
As this is a developing situation, we strongly recommend all organisations to regularly check the guidance provided by the CSIRTs Network Members and CERT-EU for the latest assessment and advice and to take actions as needed
The Agency and all relevant EU actors will continue to monitor this threat to contribute to the overall situational awareness at the Union level.
For technical background information about the vulnerability and recommendations: Security Advisory 2021-067 - CERT-EU
For guidance on response please refer to the relevant national authority: CSIRTs by Country - Interactive Map — ENISA
The latest advisories published by CSIRTs Network Members are available here: https://github.com/enisaeu/CNW/blob/main/advisories.md
For questions related to the press and interviews, please contact press(at)enisa.europa.eu
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!