Software vulnerability: Log4j

(posted Dec 15, 2021)

A critical vulnerability has been discovered in a common software component known as Log4j that is used within a number of server applications on Linux, Windows, and MacOS. The exploit can be conducted remotely and with very low expertise, making this vulnerability very concerning. This necessitates the attention of the UTSC community, as it not only an issue for system administrators but also for those who manage relationships with software vendors for external/cloud services. IITS staff have been working diligently through the past week to assess the risks to our campus and have taken proactive steps to detect, isolate and patch where we can. However, there are many systems outside of our control. U of T's Chief Information Security Officer has exerted emergency response authority and will block systems exhibiting signs of compromise without exception. These systems must then be triaged, wiped and rebuilt.
 
IITS staff are continually updating and patching IITS-managed devices, such as office computers, as needed - no user actions is required.

We need your assistance with the following:

1. If you manage your own systems, servers or cloud applications and IITS has not yet been in direct contact regarding this vulnerability, please inform infosecurity.utsc@utoronto.ca.
    
2. If you are using external/cloud solutions with a 3rd party vendor or contractor, it is imperative that you open a support ticket to inquire about their response to the “Log4j Vulnerability” and the actions you need to take. If uncertain inform infosecurity.utsc@utoronto.ca.
    
3. For technical staff who manage their own systems, we’ve published a short write up on how to detect the affected versions here (login required). There are many approaches to detect the vulnerability. If an affected version of log4j is found, you must ensure you patch to the updated (2.16) version asap.

Thank you,

Zoran Piljevic
Director
Information and Instructional Technology Services