Critical Security Vulnerability issue: CVE-2021-44228
A critical vulnerability in the Apache Log4j library has been identified (CVE-2021-44228) and has been publicly disclosed. This vulnerability allows remote code execution, and for this reason is considered extremely harmful. The affected library is in widespread use by platforms which use Java, including VMware, Oracle, NetApp, IBM’s Tivoli, some Cisco products, and many others.
Exploits are available for this vulnerability, so it is important that you ensure affected systems are not publicly accessible until the relevant products are patched.
As this is a newly disclosed vulnerability, the relevant product suppliers are currently working on patches for their software, and these will need quality assurance before being released. Thus, if you have an affected product, you may have to warn your users that the duration of any necessary application downtime depends on this.
HEAnet have run an initial security risk assessment on our infrastructure, and we believe that our services are not affected by this vulnerability.
We urge clients to review their systems, and if necessary, review relevant product suppliers’ security announcements. If you need any assistance from HEAnet, please get in contact by email at noc@heanet.ie, but please phone 01-6609040 if you have an urgent problem.
For further information please see Alerts & Advisories from the National Cyber Security Centre (NCSC): https://www.ncsc.gov.ie/pdfs/apache-log4j-101221.pdf
