IDENTIFIED : **URGENT** CRITICAL JAVA VULNERABILITY – IMMEDIATE ACTION REQUIRED


Identified : You may have seen reports from various news outlets that a major global cybersecurity incident is currently underway, and wondered, ‘how is this vulnerability affecting UBC, and what is being done to protect our services?’

The vulnerability is named “log4shell”, and it impacts a common component in Java, a programming language and computing platform that many applications and websites rely on to function, including several systems and websites at UBC.

As soon as this vulnerability was discovered, UBC Cybersecurity and UBC IT began working with departmental IT personnel and System Administrators to assess which servers and systems may be susceptible to exploitation. These teams have been in constant contact, while monitoring is taking place, to take immediate action to mitigate or patch discovered vulnerabilities.
While you may have directly received or been forwarded other messages related to this matter, the reason for this notification is, out of an abundance of caution, it is crucial that everyone is aware of the importance to address any potentially at-risk systems immediately.

What is the risk:
This is a critical vulnerability that allows a malicious user to implant and run code on an impacted server over the Internet with trivial effort.

What you should do:
• Connect with the individuals in your team that maintain servers or systems to ensure they are aware of this vulnerability and have acted (see UBC technical details below).
• Prioritize systems that are accessible from the Internet (eg: web servers and portals).
• If you have vendor supplied services – check with the vendor to ensure they have acted.

UBC has provided extensive technical details about the vulnerability and what to do about it here:
https://cc.cybersecurity.ubc.ca/vulnerabilities/advisory-critical-vulnerability-in-log4j-cve-2021-44228/ (CWL login required)
December 13, 2021 – 17:41 PT


Investigating : There is a critical vulnerability in log4j (CVE-2021-44228 / Twitter Feed), which is used extensively in open-source and commercial java web applications. The vulnerability is actively being exploited in the wild, and allows for full remote code execution on affected servers.
General guidance and expectations are as follows:

1. Identify where log4j is used in your environment
2. Determine if the versions you have in your environments are vulnerable
3. Mitigate immediately using mitigation instructions in the article
4. Patch log4j [if possible without completely breaking the application environment]
5. Follow up with vendors and upstream projects and frameworks to get their official patches ASAP
6. Priority should be given to those applications which are internet-facing

Please reference the UBC Cybersecurity Confidential website (https://cc.cybersecurity.ubc.ca/?p=8995) for more information.
December 10, 2021 – 12:05 PT


See https://status.it.ubc.ca for further details.