Log4j Remote Code Execution Vulnerability

 Action Needed

Last updated December 29, 2021

What you must do immediately to avoid compromise of the University’s infrastructure: 

  1. Evaluate your systems to determine which of your systems are running vulnerable versions of the Apache log4j library (between version 2.0 and 2.17.0), including library usage that may be embedded in vendor-provided systems. 
  2. Implement the mitigations listed below or apply any vendor patches available at this time.
  3. Restart to apply the mitigations.

Mitigations

  1. Upgrade your log4j version to log4j 2.17.1 or later for Java 8. (Update to log4j 2.12.4 for Java 7 and 2.3.2 for Java 6.) 
  2. Fully restart the application or system to apply mitigations. This may require down time and service impacts should be expected. 

The other mitigation steps previously listed are no longer valid. If you cannot upgrade to at least log4j 2.17, take the system or application offline. If you’ve upgraded to 2.16 or 2.17, plan an upgrade to 2.17.1 in an orderly manner.

FAQ

Expand all

How do I know if my application or system is vulnerable?

Checking whether your system or application is vulnerable is going to be product-dependent. UIS will add information here as it becomes available. 

For Operating Systems

For CentOS and related OSes, you can probably query a package manager, e.g.:

yum list installed '*log4j*'

Use the package manager options relevant for your OS for other OS types (e.g., Debian, FreeBSD, Windows).

Also, searching the filesystem with something like the following would probably catch most cases:

find / -name 'log4j*.jar' -ls 

For Applications

Log4j may be embedded in a webapp archive as well (WAR file) or another JAR file, which are just fancy zip files that can have contents listed with: 

unzip -l [warfile|jarfile].

Those who have software installed via methods other than the OS's native package management can search for files relating to log4j, using syntax relevant to your OS, such as:

find / -type f -name '*log4j*'

or

find / -type f | fgrep -i log4j

The former searches specifically for files with names matching "log4j" while the latter will search for similar things in a case-insensitive manner. Something returning zero results may mean that you don't have the affected software installed. If you do have results from these searches, check the version number to see if it's affected.

The "locate" command available on most Linux systems may locate log4j files much faster than "find:"

locate -i log4j

However, "locate" is dependent upon the existence of its internal db. So running this command will very quickly determine positive matches to the file but a negative result (no output from the "locate" command) does not indicate with certainty that the files are not present and so further exploration such as the "find" command above should be used.

For Appliances

For appliance-like systems, consult with the vendor.  

There are different methods for adjusting JVM configuration for each product, and we recommend contacting the vendor and UIS if it is unclear how to do so in a given system.

Other Resources to Check

Github Gist on the log4j vulnerability

This GitHub Gist has links to numerous projects' comments about this bug. While you should ensure that you are viewing the authoritative source of information for a software application or project, these links may help get you to the right place.

CISA Guidance

The Cybersecurity & Infrastructure Security Agency has developed log4j guidance.

Is log4j 1.x vulnerable?

From SLF4J's log4shell page:

“As log4j 1.x does NOT offer a JNDI look up mechanism at the message level, it does NOT suffer from CVE-2021-44228.”

However, 1.x hasn’t been patched since 2015, and log4j has been noted as an extremely high value target by a whole lot of people that are tearing code apart for all versions. Other than the JMSAppender, nothing so far but, like the print spooler festival, this probably isn’t over.

1.x is already a policy violation, since it’s not maintained or supported (other than contained inside vendor products where there’s support from that vendor for the whole system).

Depending on configuration, it’s vulnerable to a very similar bug to 2.x. It’s slightly different (different CVE, slightly harder to exploit), but it’s out there.

What version of log4j should I upgrade to?

Log4j 2.17.1 was announced 12/28/2021. Log4j  2.15, 2.16 and 2.17.0 are vulnerable to new attacks. Expect further releases in the foreseeable future.

  • Prioritize entirely unpatched systems and upgrade those to 2.17.1 immediately.
  • If you’ve upgraded to 2.17.0, upgrade to 2.17.1 in an orderly manner.

Once I believe my system is mitigated/clean how can I test it?

To request a re-detect, send email to UIS at [email protected] containing the following information for each system:

  • http host name 
  • IP address
  • port
  • method (http / https) 

UIS will attempt to turn these requests around within one business day.

 

The vendor says the application is not vulnerable. Why did it turn up as vulnerable in the UIS detect results?

Like everyone else, vendors are scrambling to address this vulnerability. To make sure  recommendations from your vendor have not changed, check back in with them periodically. It’s also possible that the UIS detect results are incorrect. Either way, please follow up with UIS for assistance.

A resource I use daily is unavailable, is that because of this vulnerability? What should I do?

Check the System Status page.