By now most people are probably aware of the recent discovery of multiple critical security issues in the Java log4j logging library (version 2) which have been named “log4shell“. In some circumstances, these flaws can give attackers the ability to remotely execute their code on our systems. An overview can be found on Wikipedia.

Since the issue was first announced, just over a week ago, computing staff within the School and our colleagues in IS have been working very hard to ensure that this issue does not lead to our computing infrastructure being compromised. We have scanned all externally accessible websites to look for evidence of exploitable systems. We have also scanned all home directories, group space, and local system disks for vulnerable log4j library versions. We are now in the process of contacting all those who own files that contain insecure versions of log4j. If you are contacted you must resolve the issue as soon as possible. We are happy to advise or help if you are not sure of the best course of action to take.

We are also aware of security issues in the old unsupported 1.2 series of the log4j library. Those issues are not currently considered to be as critical so we are currently focussing our efforts on version 2. In the New Year, we will begin contacting people with software that uses 1.2

The log4j library is bundled with many other Java libraries and software so it’s not always obvious that you have it installed. Software distributors are in the process of providing updates, you must apply them as soon as they become available. Most Linux distributors have already updated the version they provide. If you bundle the code with your own projects you can download the latest version from the project website.

If you have any questions about this issue or need help with fixing log4j please contact us via our Support Form.

log4shell security vulnerability / Computing Systems by is licensed under a