On December 9, 2021, a vulnerability in the popular Java logging library Log4j—used by developers of web and server applications around the world—was discovered and made public. The zero-day vulnerability allows for code to be run remotely by sending a malicious code string, allowing a hacker to take control. Published the next day in the National Vulnerability Database as CVE-2021-44228, it is already being exploited in the wild across Windows, Linux, macOS and devices. Teams across the internet are working to patch enterprise systems and web apps to protect against these critical zero-day exploits. Even games like Minecraft can be impacted, leading Microsoft to post instructions on how players of the Java version can patch their systems. Of course, our Security Team is aware of the issue and reviewing SMU systems to determine impact.
Leading the response effort for SMU and working with areas across campus with mitigation options, the OIT Security Team is scanning servers in our data center to provide better insight into the extent of the impact. As our on-campus third-party server applications and software vendors release updates to the Log4Shell vulnerability, we deploy them as quickly as possible and will work to reduce the impact during finals. Our cloud-based products will be updated at the vendor’s discretion. Some vendors, such as Appspace and CampusPress have already reported that their systems are not vulnerable to CVE-2021-44228 (also known as Log4Shell or LogJam). Instructure, the parent company of the Canvas LMS, reports that it has reviewed all instances of Log4j2 in Instructure products and implemented mitigations or upgrades to the services. We expect other vendors to do the same within the next 48 hours.
For more information, please reference the following resources. This is a developing issue and information will continue to change as we learn more.
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/
- https://logging.apache.org/log4j/2.x/security.html
- https://www.wired.com/story/log4j-flaw-hacking-internet/
