The UC Berkeley Information Security Office is responding to a newly revealed severe software vulnerability in Apache's Java Logging library, Log4J.
This vulnerability affects a broad range of websites, applications, and devices, making it extremely dangerous, and digital systems across the internet are affected.
What is Log4j?
Log4J is a widely used Java library for logging error messages in applications. It is used in enterprise software applications, including custom applications developed by businesses, and forms part of many cloud computing services.
How big of a deal is this vulnerability?
It's a big deal. Security experts have warned that there are hundreds of thousands of attempts by attackers to find vulnerable devices.
What can I do?
- Vendors are rolling out patches/updates as fast as they can. Make sure your internet-connected devices, apps, and software are patched and up to date.
-
Before leaving campus for the holidays, power down or remove from the network any servers or devices that will not be in use, especially if you’re not sure if they are affected.
-
If you support Campus systems, review our security alert for this vulnerability.
-
If you receive any suspicious email, report it to us without clicking on any links or replying to the sender.
Examples of potentially impacted websites, applications, or devices:
This is not an exhaustive list but gives insight into how wide-ranging this vulnerability is. The Cybersecurity and Infrastructure Security Agency also has a repository of affected systems.
- Atlassian - Confluence Server and Data Center
- Amazon Web Services
- CISCO
- Commvault
- Fortinet
- Oracle
- Red Hat
- VMWare
If you have any questions about a system you support contact us at security@berkeley.edu.