As we communicated on Friday, Pitt Information Technology is aware of a zero-day, critical security vulnerability in Java logging library Log4j (CVE-2021-44228), also known as Log4shell. If successfully exploited, this vulnerability can allow unauthenticated remote code execution and access to servers. Below please find additional information and guidance about this new vulnerability.
What Is Log4j?
Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications, and email services. As a result, a wide range of software could be at risk from attempts to exploit the vulnerability. The severity of the vulnerability in such a widely used library means that organizations and technology vendors are being urged to counter the threat as soon as possible. Pitt IT has detected attackers already attempting to scan for vulnerable instances of Log4j.
What Versions of Log4j Are Affected?
Systems and services that use the Log4j Java logging library between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. Other versions that have yet to be identified may also be affected.
Log4j version 1.x is not directly vulnerable, because it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file (i.e., log4j.properties or log4j.xml). Thus, an attacker who can write to an application's Log4j configuration file can perform a remote code execution attack whenever Log4j 1.x reads its malicious configuration file.
What Mitigations Steps Should Be Taken?
- Pitt IT is in process of contacting enterprise service vendors to apply the recommended mitigations immediately to address the critical vulnerabilities.
- IT Partners should also contact all application vendors for the services they support and apply the recommended mitigations as soon as possible.
Does the SLF4J API Mitigate the Vulnerability?
No. Using Log4j 2.x via the SLF4J Application Programming Interface does not mitigate the vulnerability. However, as mentioned previously, Log4j version 1.x is safe with respect to this vulnerability. Therefore, if your SLF4J provider/binding is slf4j-logj12.jar, you are not affected by this vulnerability.
Please contact the 24/7 IT Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.