Log4J Response
Update on Log4J Response and Actions Needed
Last week the global technology community discovered a critical vulnerability affecting systems worldwide (read more) called Log4J. Please read below for details on UC San Diego’s response and immediate actions you should take. As necessary, consult with technology and security professionals in your department or division.
Alert
Beginning Monday December 20, 2021, any computer on the campus network found to be vulnerable to the Log4J vulnerability will be immediately removed from the network. If you see any suspicious activity on your computers such as excessive activity or log file growth, please remove the system from service (unplug network cable) and contact security@ucsd.edu.
Actions
The campus has detected over 10,000 attacks using the Log4J vulnerability. If you are unsure whether your system is vulnerable, please turn it off until you can confirm it is either not vulnerable or has been patched. The vast majority of these attacks target servers and not laptops. Ordinary laptops and desktops should still be sure that the most recent updates are applied.
- Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.
- Log4J is included with many popular open source products. Update to the latest version as soon as possible. Vulnerable computers should be turned off until they can be patched.
- If updating to the latest version is not possible, it may be possible to temporarily mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups'' to “true”; or remove the JndiLookup class from the classpath. Talk to your technical staff for assistance.
Additional guidance on protecting your systems:
- https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/
- https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
- https://logging.apache.org/log4j/2.x/security.html
- https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
FAQ
What is the vulnerability?
Log4J is a module of software in the commonly used Java programming framework. Last week a vulnerability was announced that could easily be exploited to give a hacker the ability to remotely run software on a targeted system. This is one of the most serious forms of vulnerabilities, colloquially known as RCE for Remote Code Execution. The Log4J module is embedded throughout millions of applications globally - typically on web servers and thus exposed to the internet.
Why is this a significant issue for UC San Diego?
Java and products using the Log4J module are used throughout UC San Diego. Note that we believe our critical systems are largely remediated. As vendors provide updates they are being applied on an emergency basis (i.e., immediately).
Can't the Office of Information Assurance just search for every copy and fix it?
There is no remote method for detecting the use of vulnerable versions of Log4J. We are relying on two primary methods of detection: our automated vulnerability identification software and manual analysis. Our vulnerability identification software was updated Saturday to detect the vulnerable code, but it must be physically installed to detect this sort of vulnerability. Faculty and non-faculty researchers can download and install both our current anti-malware software and the vulnerability identification software from the secure.assure.ucsd.edu installers page (@ucsd.edu login required).
The manual analysis process requires actually examining systems to see if Log4J is present and, if so, which version is present.
So you've fixed it in all centrally provided services?
We believe it has been either patched or remediated where we can identify it; however, as new systems are found, they are still being addressed. Many vended products also use Log4J and are opaque to our inspection. We have been contacting critical providers for assurances on the posture of their software, or for the manufacturer to update their systems. There may be disruptions to services if they are found to be vulnerable but for which a patch is unavailable. All vulnerable services are being patched and updated as they are identified.
What are we doing to protect the campus in general?
The campus firewalls have been configured to block live attacks when possible; this has blocked several hundred confirmed attacks. In addition, as scans and attacks are identified, we block the internet address launching the attack at the campus network edge. Critical campus services that cannot be disabled but for which a patch is not yet available are being removed from the public internet and will require the VPN to access.
We continue to watch for new vulnerable systems, and, beginning Monday December 20, 2021, any system newly discovered to be vulnerable will be immediately removed from the campus network until it is remediated.