Major vulnerability in log4j

A new critical security vulnerability known as Log4Shell (CVE-2021-4428) has been discovered that affects millions of Java applications from many different vendors and is actively being exploited by cybercriminals. The flaw is in the popular logging framework known as Apache Log4j and could lead to ransomware, data theft, or complete system take over.

Due to the severity of this security flaw, you may see emergency outages and downtime for services at ODU and the Internet at large while the technology industry works to patch or otherwise remediate their services and applications.

As ODU identifies software and applications that are vulnerable, we will strive to make necessary updates outside of normal business hours to reduce the impact of any outages. However, we may need to do emergency patching during the day, causing unavoidable service interruptions. Please understand that the safety and security of ODU assets and information is paramount. We appreciate your patience.

If you are responsible for administering software, application services, or if you manage a hosted application (Software as a Service, or SaaS) as a system owner or application administrator, please ensure our software and services are safe by doing the following:

1. If using vendor-supplied software/services (either on-premises or hosted), contact the vendor immediately to determine how they are addressing the vulnerability and whether you are required to take actions.
2. If the software is developed in-house, or if you want more technical details, see the Apache and CISA guidance on these sites.
3. Report the status of your software/service to the Information Security Office (ISO) at secteam@odu.edu. For additional guidance, email ITSHelp@odu.edu.

If you are notified by a vendor of a data breach or suspect that your system has been compromised, contact the Information Security Office (ISO) via the ITS Help Desk (ITSHelp@odu.edu or (757) 683-3192) for further instructions before taking other actions.

Is my application running Java? How do I find out?

If your application is not running Java, it is not vulnerable to this exploit. Contact your application support team to find out whether your application is vulnerable, what they are doing to address the vulnerability, and when the mitigation will take place.

My application uses JavaScript. Am I vulnerable?

JavaScript and JSON are not the same as Java and are not affected by this vulnerability.

What do I do if I have an application running Java?

An application running Java is only affected by this vulnerability if it is running the Apache Log4j framework. See the Apache and CISA web pages for guidance.

How do I know if my application is vulnerable to this exploit?

Check with your application's support team. Not sure who that is? Email the Information Security Office at secteam@odu.edu.

I know that ODU-managed machines and servers will be taken care of. What about my personal PC? What can I do to protect it?

Verify that your important applications and games are up to date. The popular video game Minecraft is just one application that is vulnerable and has been exploited, for example. While our main focus is protecting ODU servers, desktop computers may also be vulnerable and the Security team is gathering information on applications that may be running this logging framework.

The support person for an application I manage found that the software is vulnerable. While they are working to mitigate the threat, they haven’t completed it yet. What do I do?

Please report that to the Security team as soon as you can so we can work to minimize the threat from our end.