Linux Mailing List

[Leonardo Sala <leonardo.sala AT psi.ch>]

Dear all,

as requested by the dedicated PSI Task Force, I would kindly ask you to inform me in case any vulnerability connected to log4j2 is affecting your systems by Friday 17:00.

Thank you very much

Kind regards

Leo

Paul Scherrer Institut
Dr. Leonardo Sala
Group Leader Data Analysis and Research Infrastructure
Group Leader a.i. Linux Core
Deputy Department Head a.i Science IT Infrastructure and Services department
Science IT Infrastructure and Services department (AWI)
WHGA/036
Forschungstrasse 111
5232 Villigen PSI
Switzerland

Phone: +41 56 310 3369
leonardo.sala AT psi.ch
www.psi.ch

On 12/15/21 2:39 PM, Talamo Ivano Giuseppe (PSI) wrote:

Dear all,

    

This is a reminder about the log4j vulnerability and possible related mitigations and fixes.

    

The full reference document is the SNOW KB article: https://psi.service-now.com/nav_to.do?uri=%2Fkb_view.do%3Fsysparm_article%3DKB0003297

In general, it is not enough to check whether the rpm package is installed, since the affected code can be shipped together with some application in the form of a jar file

There's a tool at [1] that you can use to scan a system for affected log4j jar files.

Please consider that the tool only detects and fixes the log4j version 2 bug.

It could still be possible that you have software using log4j version 1, that also presents a vulnerability, although of moderate severity. A more detailed explanation and description of possibile mitigations are provided in [2,3].

Kind regards,

Ivano Talamo for the Linux team

    

[1] https://github.com/logpresso/CVE-2021-44228-Scanner/blob/main/README.md

[2] https://nvd.nist.gov/vuln/detail/CVE-2021-4104

[3] https://access.redhat.com/security/cve/CVE-2021-4104

__________________________________________

Paul Scherrer Institut

Ivano Talamo

WHGA/038

Forschungsstrasse 111

5232 Villigen PSI

Schweiz

Telefon: +41 56 310 47 11

E-Mail: ivano.talamo AT psi.ch