Critical Security Vulnerability Discovered Take Immediate Action
A new critical security vulnerability known as Log4Shell (Log4j) has been discovered that affects millions of services and products from organizations such as Apple, Amazon, Cisco, Google, IBM, Microsoft, and Tesla. This is one of the most serious security flaws in the last decade. Cybercriminals are actively using this flaw to carry out ransomware, data theft, and complete system takeover attacks.
Due to the severity of this security flaw, you may see emergency outages and downtime for services at Carnegie Mellon University and the Internet at large while the technology industry works to remediate their services and applications.
What You Need to Do
- Apply software updates when prompted.
- Do your part to keep Carnegie Mellon University safe. If you are notified by a vendor of a breach involving CMU data or suspect your system has been compromised, contact the Information Security Office (ISO) immediately for further instructions. DO NOT take any remediation action. REPORT A BREACH
Additional Actions for Service/System Administrators
If you are responsible for administering software, application services, or manage a Software as a Service (SaaS) vendor relationship, perform the following actions:
- If using vendor supplied services/software, review vendor specific advisories and/or perform self-service scans to determine exposure and required actions. See the Assessing Vulnerability section of Information Security Office's Log4Shell Security Alert.
- If the software is developed in-house or if you want more technical details, see the Information Security Office's Log4Shell Security Alert.
- Report the status of your services/software to the Information Security Office (ISO) at iso-ir@andrew.cmu.edu and your departmental computing administrators. Please update them and ask for additional guidance as needed.
Subscribe to Updates
Receive updates as details on this vulnerability evolve by subscribing to the ISO-Alert-Log4jVulnerability mailing list.
Technical Resources
- SEI CERT Coordination Center Vulnerability Note VU#930724 - Apache Log4j allows insecure JNDI lookups
- Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation
- National Vulnerability Database CVE-2021-4428 Detail (source: NIST)
- CVE-2021-4428 (source: Mitre CVE)
- Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package (source: LunaSec)
- Comprehensive, volunteer maintained list (source: Github)