[CITL] Notice of 0-day Vulnerability

[Dewight F Kramer]

Dear CITL,

Out of an abundance of caution, the Information Security Office would
like to alert you to a new 0-day vulnerability.  Designated
CVE-2021-44228, this vulnerability affects applications using log4j,
the popular Java logging library.  Exploitation is triggered by
causing a string in a certain format to be passed to the log4j
library.  If successful, malefactors gain the ability to run arbitrary
code on the victim's system.

Importantly, proof-of-concept code is publicly available, and the ISO
has detected incoming attempts to exploit this vulnerability.  ITS is
currently investigating mitigating controls to blunt these attacks,
but we wanted to alert you directly and immediately about this
vulnerability and the threats associated with it.

For more information about this vulnerability, please see the below.

* https://github.com/NVISOsecurity/nviso-cti/blob/master/advisories/20211210-log4shell.md
* https://www.lunasec.io/docs/blog/log4j-zero-day/

If you have any questions, please don't hesitate to reach out to the
Information Security Office.

Dewight Fredrick Kramer
Chief Information Security Officer
Information Technology Solutions
University of California, Riverside
•  (951) 827-3070| • dewight.kramer at ucr.edu<mailto:dewight.kramer at ucr.edu>
[cidimage001.png at 01D7425D.25491FE0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20211210/47bcc194/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10538 bytes
Desc: image001.png
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20211210/47bcc194/attachment-0001.png>