Security Vulnerability - Log4J (Java library) - December 13, 2021

Summary of Vulnerability

Dartmouth's Information Security team in conjunction with the IT community has a identified a vulnerability inside of a library (log4j) of an open source Java-based logging framework. The Apache log4j library allows for developers to log various data within their application. The vulnerability was identified to Dartmouth on Thursday, December 9, 2021.

Scope

• Systems relying on Apache Server using the Log4j library.
• The Log4j library is part of common framework that is used to underpin many systems.

Dartmouth's Response

• Our Information Security team is working with our Infrastructure teams to identify and patch vulnerable systems.
• The Information Security team has been retroactively identifying any possible exploitation of the vulnerability on Dartmouth systems.

What do I need to know?

• Dartmouth is actively mitigating risk from this vulnerability by patching all identified systems with an updated version of the library.
• Dartmouth's vendor partners are also actively updating their systems for this vulnerability.
• More technical information about this vulnerability is available at: https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ or https://www.indiatoday.in/technology/features/story/log4j-zero-day-vulnerability-what-it-is-and-how-it-impacts-users-all-explained-in-5-points-1887213-2021-12-13.

What do I need to do?

• Update vendor applications as soon as you are prompted by the vendor or Dartmouth.
• If you are systems administrator for an Apache server not supported by your IT organization, please contact your local IT Service Desk for more information: https://services.dartmouth.edu/TDClient/1806/Portal/KB/ArticleDet?ID=64861.