Apache Log4j Vulnerability Guidance
Please ensure that your Chief Fiscal Officer and IT staff are informed of this alert!
As a result of a vulnerability in Apache Log4j code that can allow an unauthenticated user to take control of an affected system, the Office of the Comptroller, acting on the guidance of the federal Cybersecurity and Infrastructure Security Agency (CISA), is in the process of reviewing statewide enterprise systems and will take appropriate actions, if necessary. This code is used in a broad variety of consumer and enterprise services, websites, applications, and operational technology products.
All organizations should prioritize the review of mission-critical systems, internet-facing systems, and networked servers to determine if these use the affected code.
CISA has published guidance that includes a library of impacted systems and remediation strategies. This is an evolving issue that is expected to take time to mitigate, and additional patching may be necessary. CISA will be issuing additional guidance as needed.
Departments should also refer to guidance from their third-party service providers. If resources are found to be affected, departments must patch and remediate.
If your department needs assistance with investigations and remediation, the Statewide Contract for Cyber Preparedness and Remediation is available to assist state agencies and local government.