Pitt Information Technology is aware of a new critical vulnerability in Apache Log4j, a commonly used logging package for Java. An attacker who successfully exploits the vulnerability could execute remote code within the context of the systems and services that use the Java logging library, including many services and applications written in Java.

Pitt IT is not aware of the vulnerability being exploited at the University, but it is being actively exploited elsewhere. We recommend that units with devices running Apache take the following actions:

• Apply the latest patches (version 2.15.0) provided by Apache after appropriate testing
• Run all systems and services as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Apply the Principle of Least Privilege to all systems and services

Additional details are available from the SANS Technology Institute. Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.