Wednesday, December 22, 2021

Critical Java Vulnerability (Log4j)

In a computer program, a logging library's purpose is to record events to a file. These events could be a request for a web page, a user reports a crash, a sensor is reporting a harmful temperature, a chatbot question from a potential consumer, etc. There is a rule in secure programming to never trust user input because the input could be constructed to subvert the program. The idea that a logging library would parse log event data is incredibly stupid and the fact that it is the default behavior of Log4j 2 until the recent version 2.15 release is the basis of the current nightmare incident we are living through.

Technology vulnerabilities are reported using the CVE (Common Vulnerabilities and Exposures) system that is maintained by The MITRE Corporation. So far, three CVEs exist due to the Log4j vulnerability and they are:

The first CVE, CVE-2021-44228, has earned a perfect ten from CVSS, which is a scoring system to measure the severity of a given vulnerability. Many security experts have jokingly wondered what a perfect ten would be given that other widely deployed software with critical vulnerabilities rarely earn a 9.8. This Log4j situation is no joke, though.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published guidance for the Log4j incident.

Additionally, CISA has established a community sourced GitHub repository.

The Apache Foundation maintains Log4j 2 and publishes the Log4j 2 Change Release History Log.

ITS is tracking the evolving nature of this situation so that our organization is not impacted. If you have any concerns about particular software, services, etc. that you use at the College please email