12/22/21 – Log4j Security Vulnerability

Need to Update Systems Now: Security Vulnerability

The global IT community, including the federal government, is responding to active, widespread exploitation of a critical security vulnerability in consumer and enterprise services, websites, and applications using Apache’s Log4j software to log security and performance information. This vulnerability can be used to get into systems or servers from any location and without using a password.

What you need to do:

For these vulnerabilities to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement security updates as soon as possible. Many common internet systems and software applications use Log4j, and each must be patched separately.

• If you manage updates to an affected system: Several updates have already been released by Apache and the latest version of Log4j should be installed immediately. As of December 18, 2021, systems should be updated to use Log4j version 2.17.0

  • You may be able to check if an application is vulnerable using proof-of-contact script(s)

  • If there is risk of infection/compromise, please send an email to security@uw.edu

• If you rely on a vendor or another party to manage updates to your system: Submit a customer support ticket to the organization requesting confirmation of any mitigation and updates to affected products to use the latest version of Log4j.

• If you’re relying on an appliance with a web-based front end: Check for updates using the device’s administration console immediately. Verify either by checking the product website or contacting your vendor to ensure that they are not vulnerable or have a patch to remediate the issue as soon as possible.

• As always, as a faculty or staff member of the University of Washington: Make sure your computer is up to date by installing all software updates. UWB IT routinely sends updates to your computer through Husky OnNet. Log in today to see if there are any updates waiting.

What to expect:

The breadth of impact of this vulnerability is not yet fully known; many applications could be impacted and require updates. This should be treated as an ongoing incident that requires vigilance from our technical campus partners. Updates specific to Log4j can be found on the following websites:

• Updated security info about Log4j is hosted by UW CISO Office: Apache Log4j: Patch NOW | Office of the CISO (uw.edu)
• Organizations are urged to review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.
• In addition to the immediate actions detailed above, review CISA’s GitHub repository for a list of affected vendor information and apply software updates as soon as they are available.

Support

• If you have questions, or would like assistance, please contact UWB IT.
• Join the Community of Practice for Security Advocates.
• This message along with any updated resources will be available on the IT News & Updates webpage

Thank you for your help keeping us and the UW secure.