Carnegie Mellon University

Critical Security Vulnerability Discovered Take Immediate Action

A new critical security vulnerability known as Log4Shell (Log4j) has been discovered that affects millions of services and products from organizations such as Apple, Amazon, Cisco, Google, IBM, Microsoft, and Tesla. This is one of the most serious security flaws in the last decade. Cybercriminals are actively using this flaw to carry out ransomware, data theft, and complete system takeover attacks.

Due to the severity of this security flaw, you may see emergency outages and downtime for services at Carnegie Mellon University and the Internet at large while the technology industry works to remediate their services and applications.

What You Need to Do

  • Apply software updates when prompted.
  • Do your part to keep Carnegie Mellon University safe. If you are notified by a vendor of a breach involving CMU data or suspect your system has been compromised, contact the Information Security Office (ISO) immediately for further instructions. DO NOT take any remediation action. REPORT A BREACH

Additional Actions for Service/System Administrators

If you are responsible for administering software, application services, or manage a Software as a Service (SaaS) vendor relationship, perform the following actions:

  • If using vendor supplied services/software, review vendor specific advisories and/or perform self-service scans to determine exposure and required actions. See the Assessing Vulnerability section of Information Security Office's Log4Shell Security Alert. 
  • If the software is developed in-house or if you want more technical details, see the Information Security Office's Log4Shell Security Alert
  • Report the status of your services/software to the Information Security Office (ISO) at iso-ir@andrew.cmu.edu and your departmental computing administrators. Please update them and ask for additional guidance as needed.

Subscribe to Updates

Receive updates as details on this vulnerability evolve by subscribing to the ISO-Alert-Log4jVulnerability mailing list.