Please note: As of Wednesday, December 29, a new CVE has been issued that impacts all versions of the logging library from 2.0-alpha7 to 2.17.0. The fixed versions of log4j are 2.3.2, 2.12.4, and 2.17.1. Please read below for recommended actions.
The following information is intended for University of Colorado server administrators who are responsible for university servers running the Apache Log4j Java-based logging utility, or running applications that have Log4j embedded.
December 29 update
What we know:
- Any software products leveraging log4j may be vulnerable, especially web-facing Java applications.
- Affected log4j versions: 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4.
- This CVE-2021-44832 is rated moderate as it applies in only very specific circumstances that require the attacker to have control over the logging configuration to take advantage of the vulnerability.
What has changed?
Versions 2.0-alpha7 to 2.17.0, with the exception of 2.3.2 and 2.12.4, were found to have a remote code execution vulnerability via the JDBC Appender.
What should be done?
If you are an administrator for a web-facing application that could be impacted, it is critical that you investigate as soon as possible and upgrade if you are running a vulnerable version.
Questions?
If you have questions about the vulnerability, please contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu. If you’ve identified a vulnerable application or an active exploit, please email security@colorado.edu immediately.
