As it has become known and already been communicated in the relevant media, there is currently a critical security vulnerability in Log4j, a popular logging library for Java applications.
Contrary to initial assumptions, the uncertainty relates not only to versions 2.0 to 2.15 of log4j, but also to versions 1.x, where, however, there is a somewhat limited risk.
We ask you to check your applications for the use of log4j and, if necessary, to apply already available patches and/or updated software versions.
Where such are not available, we recommend temporarily preventing availability from the outside if possible. There are now a variety of sites with helpful information on how to determine if your servers and applications are affected and how to remedy the situation.
We refer here to the constantly updated German-language pages
- of cert.at: https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek,
to further English-language pages, e.g.
- the CISA: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
- and to a page with a good overview of the applications concerned on github.com: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
We started on Monday to check all systems operated by TU.it for insecurities and secure this issue, this process is almost complete. We will keep you up to date on the status of the security.
As a further step, we have already taken measures on the perimeter firewall as soon as the vulnerability became known, to prevent these attack attempts as far as we can filter them.
For further questions please contact: firstname.lastname@example.org