Early Bird

Log4Shell vulnerability alert

Keep your devices up to date to avoid this significant digital threat.

By Mike Hart

December 15, 2021

The Log4Shell vulnerability is a critical weakness in the open-source Log4j logging tool from Apache, which is commonly used on a wide variety of devices, services and applications.

Discovered Thursday, this vulnerability is rated 10 out of 10 on the criticality scale, as it provides an easy way for malicious actors to execute code on a device remotely. How easy? Players of the online game “Minecraft” had their systems attacked by other players who simply posted a short snippet of code into the chat window, and the Apple iCloud server could be attacked just by changing the name of an iPhone. Both services have since been patched, but countless other systems will require patching to address the vulnerability.

Metropolitan State University of Denver has hundreds of servers and thousands of Windows and Mac endpoints that will require patching and updating. Information Technology Services is in the process of patching systems to address this vulnerability and has enabled multiple layers of security tools to identify and block attempts to exploit this weakness. These tools include firewalls, vulnerability-scanning tools and endpoint-protection tools – Defender ATP and Crowdstrike.

People using MSU Denver-managed devices may receive messages indicating that patches and updates are available to download and install. ITS asks that all users keep an eye out for these messages and that recipients perform the download and installation as soon as possible through the Software Center. Anyone using a personal device should check for and install updates regularly through Windows Update.

For more information about the Log4Shell vulnerability, read this article from LunaSec, as well as the programmers’ guide on how to detect and mitigate the issue.