Major vulnerability in log4j

December 14, 2021

Major vulnerability in log4j – Immediate action required by all systems & web administrators and others

A critical vulnerability has been discovered in log4j - a Java-based logging library utility from Apache which logs messages - that is actively being exploited. This is an issue both for systems and web administrators on campus, including those who support products with a web interface, as well as requiring the attention of those that manage relationships with Software as a Service (SaaS) vendors. 

Tufts Technology Services (TTS) is working with the community and vendors to ensure all areas and all services impacted are fixed immediately or behind our VPN until fixes are available. As this is a critical vulnerability (see details below) and we want to ensure to protect Tufts and our data, anything that is not fixed or able to be fixed within a 24-48 hour timeframe will need to be shutdown/dropped from our network until fixed.

Why this is particularly critical:

  • If a system is vulnerable the exploit can grant full system access.   
  • The vulnerability requires a low level of skill to exploit.   
  • The exploit can be sent over https where we may not be able to inspect the encrypted traffic or block the port. 
  • We are blocking this attack pattern at our campus edge.  We are seeing a significant volume of attempts. 
  • As of now, there is not a reliable way to detect it via a vulnerability scanner, like InsightVM. Update 12/13: We have received updates to our vulnerability scanner that will now allow us to detect the presence of vulnerable log4j installations if local account access for the scanner has been configured. We will be sharing the scanner results with systems and application administrators as we get it. 
  • The package may be installed and built locally, making detection via package managers like rpm more difficult. 

What you need to do:

If you manage the relationship with a SaaS vendor or run a vended product with a web interface, you should:

  • Check the vendor website to see how they are addressing the vulnerability
  • If nothing on the website, contact the vendor for more information about how they are addressing the vulnerability immediately.
  • If you get notified by a vendor of a data breach, contact TTS Info-Security (abuse@tufts.edu).  
  • See below for an e-mail template for contacting your vendors.

IMPORTANT: All administrators of web services should review their installations for the presence of log4j and update it as needed. (See Knowledgebase article (KB0013996) for details and additional resources.)

 

Email Template for Contacting Vendors 

To: INSERT Vendor Name/Contact

Subject: Status of log4j vulnerability

As you may be aware, there is a major vulnerability in log4j. We need to know from you:

  • If our software or service is vulnerable or not and if so, what are you doing to address the situation.
  • Please check your logs to see if you have been compromised through this vulnerability. If you confirm that a service we have with you has been breached, contact us at abuse@tufts.edu with a description of what happened and include the date and time of the incident.  Also, please forward copies of the logs to our incident response team.