Library and Technology Services (LTS) is aware of a recent security vulnerability that is having a wide scale impact across the globe. The vulnerability involves a software module called Log4j, which is a Java-based logging utility that is embedded in many software applications.
What makes this vulnerability particularly dangerous?
- Log4j is widely distributed.
- Log4j is often hidden within larger software packages.
- It is easily exploitable. Hackers do not need to trick users or have any special access in order to take complete control over vulnerable systems.
What is LTS doing to evaluate and mitigate the impact of Log4j?
LTS staff have been working continuously since Friday, December 10 to discover systems, applications, and services that might be vulnerable, apply patches or mitigation measures where available, and monitor exploitation attempts from nation-state actors. We expect the need for continued vigilance through the holidays, semester break, and potentially beyond.
What can your area do to help?
Although the bulk of remediation will be handled by LTS, we are asking for assistance from the Lehigh community. If you or your department manages any systems outside of LTS or purchases software through a vendor that hosts for you or through a Cloud Services or SaaS (Software as a Service) agreement, we ask that you to contact your vendor to request a status update on whether they are impacted by the Log4j/Log4shell vulnerability. If they are, you should ask them when their system will be patched.
Sample email template for contacting vendors
To: Vendor Name/Contact
Subject: Status of log4j vulnerability
As you may be aware, there is a major exploit in the wild targeting the Apache log4j library. We are requesting a status update from you as to if we are vulnerable or not and if so, what you are doing to address the situation. Please respond to me and and our Office of Information Security at email@example.com. Please note the date, time, and time zone of the logs when submitting them.
Please report this information to the Office of Information Security at firstname.lastname@example.org.
If you have any questions about the vulnerability, please submit a help request for assistance.
Eric Zematis, CISSP, CISM, PMP
Chief Information Security Officer
Greg Reihman, PhD
Vice Provost for Library and Technology Services