[de.NBI Cloud Tuebingen] log4j vulnerability information

14.12.2021 - 14:38
Dear Cloud Users, As you may have noticed, a recently discovered security vulnerability is making big waves in the IT world. The affected library is log4j (version 2.0-2.4.1), which is used for logging in numerous Java applications and web servers. The vulnerability allows attackers to execute code on affected systems and thus compromise them at will. For more detail see: https://safecomputing.umich.edu/security-alerts/update-apache-log4j-utility-address-zero-day-vulnerability For your own protection, we recommend you to check if your systems in fact use the log4j library. If in doubt, assume that it is being used. If it is being used, check to see if the vulnerability has already been exploited (see: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b and https://github.com/hillu/local-log4j-vuln-scanner). Based on this, weigh up whether a temporary shutdown of affected services makes sense. In any case, it is recommended to update all applications in question as soon as possible. The first security patches have already been released. On behalf of the de.NBI cloud team Tübingen, Fabian Paz