[IPT] IPT security update (Log4J / Log4Shell exploit)
Matthew Blissett
mblissett at gbif.org
Sat Dec 11 09:55:35 UTC 2021
Dear IPT users,
We have released a new version of the IPT, version 2.5.4 [1]. This
version contains fixes to critical security issues with the Struts and
Log4J[2] libraries.
According to the press [3], the problem with the Log4J library
vulnerability is being exploited by malicious users — and I can already
see queries containing "jndi" in the web server logs for the IPTs GBIF
hosts at cloud.gbif.org, although they are random attempts and would not
succeed.
All users are highly encouraged to upgrade to this version as soon as
possible.
As usual, upgrade and installation instructions are in the manual [1].
Please remember to check your data directory backup is working before
starting the upgrade.
[1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
[2] https://www.lunasec.io/docs/blog/log4j-zero-day/
[3]
https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
Best regards,
Matthew
More information about the IPT
mailing list