A critical system vulnerability, commonly called the log4j vulnerability or "log4shell," was announced in Apache's Java logging facility. Because of the prevalence of Apache software, this vulnerability exists in web servers and many other software systems that use Apache software. The vulnerability is being actively attacked worldwide, and new, exploitable security problems involving the same component continue to be discovered. Caltech is observing a large and ongoing number of attempts to find and exploit this weakness on our network.
It is critical that anyone with system administration responsibilities understand if their systems are vulnerable to this issue and remediate accordingly on an urgent basis. Review the security-announce mailing list archives for the latest information (VPN required). Sign up to security-announce mailing list to receive updates (VPN required).
If you have any questions on this or need assistance, please contact the IMSS Help Desk at x3500, help@caltech.edu, or https://help.caltech.edu.
United States Cybersecurity and Infrastructure Security Agency Guidance may found at https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance