Log4Shell Vulnerability: What You Need to Know
On Friday, December 10, a critical software vulnerability known as Log4Shell was broadly publicized. Alarmingly, this vulnerability is widespread, affecting organizations worldwide and putting numerous Stanford systems at risk. The Information Security Office (ISO) has detected related activity targeting our systems and has been working around the clock with IT teams throughout the university to apply fixes as quickly as possible.
What systems are affected?
Laptops, desktops, and mobile devices may be using this software, but they are not generally at risk. The most vulnerable systems are servers and web-based applications. We are prioritizing internet-facing services, as these are the most susceptible of all.
What is Log4Shell?
Log4Shell is a nickname for a vulnerability in a Java software component called Log4j. Log4j is embedded into numerous applications and is used to log activity such as visitors to a website. The vulnerability can be remotely exploited by adversaries to gain unauthorized access to systems.
Our plan of action
ISO is leading the response to this cyber threat and has mobilized the IT community across the university. Our shared goal is to eliminate as many of the Log4Shell vulnerabilities as possible prior to winter closure by applying software updates to servers and applications. ISO has also implemented several network-based safeguards to help protect university systems from attacks.
Learn more
Read more about the Log4Shell vulnerability:
- https://www.zdnet.com/article/log4j-flaw-puts-hundreds-of-millions-of-devices-at-risk-says-us-cybersecurity-agency/
- https://www.techrepublic.com/article/critical-log4shell-security-flaw-lets-hackers-compromise-vulnerable-servers/
- https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit
- https://www.npr.org/2021/12/10/1063278227/minecraft-software-flaw
- https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/
DISCLAIMER: UIT News is accurate on the publication date. We do not update information in past news items. We do make every effort to keep our service information pages up-to-date. Please search our service pages at uit.stanford.edu/search.