You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Here we have collected information which may be useful to sites, Federated cloud users, and others.

We have NOT so far identified any EGI services as being exposed to this vulnerability.

General information

A flaw was found in the Java logging library Apache Log4j 2 which could allow a remote attacker to execute code on the server if the system logs an attacker controlled string value, as reported by

Note that this is true for clients using log4j as well as services.

It should be noted that this vulnerability is fixed in 2.16  The fix in 2.15 was incomplete

Log4j – Apache Log4j Security Vulnerabilities

Some advisories from different providers are collected here:

Some affected software is collected here:

You can find additional information at the pages and in the heads up documented below.

Temporary Mitigation

Limited and temporary mitigation might be available, see:--

Please ensure at least that any potentially affected service is not exposed to the internet !

For EGI Services

Sites and those providing EGI services should be reminded that if anyone becomes aware of any site or service where this (or any other vulnerability) has been exploited, the EGI CSIRT must be informed according to the procedure at

SEC01 EGI CSIRT Security Incident Handling Procedure

  • No labels