Here we have collected information which may be useful to sites, Federated cloud users, and others.
We have NOT so far identified any EGI services as being exposed to this vulnerability.
General information
A flaw was found in the Java logging library Apache Log4j 2 which could allow a remote attacker to execute code on the server if the system logs an attacker controlled string value, as reported by
https://www.lunasec.io/docs/blog/log4j-zero-day/
Note that this is true for clients using log4j as well as services.
It should be noted that this vulnerability is fixed in 2.16 The fix in 2.15 was incomplete
**UPDATED on 6th January 2022**
The update in 2.16 was incomplete, those running Java 8 should update to Log4j 2.17.1.
Those running Java 7 should update to 2.12.4, Those running Java 6 should update to 2.3.2.
See the Log4j website at:
Log4j – Apache Log4j Security Vulnerabilities
Some advisories from different providers are collected here:
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Some affected software is collected here:
https://github.com/NCSC-NL/log4shell/tree/main/software
https://github.com/YfryTchsGD/Log4jAttackSurface
You can find additional information at the pages and in the heads up documented below.
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
https://github.com/NorthwaveSecurity/log4jcheck
Temporary Mitigation
Limited and temporary mitigation might be available, see:--
https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation
https://access.redhat.com/security/cve/CVE-2021-44228
Please ensure at least that any potentially affected service is not exposed to the internet !
For EGI Services
Sites and those providing EGI services should be reminded that if anyone becomes aware of any site or service where this (or any other vulnerability) has been exploited, the EGI CSIRT must be informed according to the procedure at