[Opensim-dev] Check if we are impacted by latest Zero-day exploiting Apache Log4j logging library

[Ai Austin]

I have been told by the University it is under serious attack (as are 
lots of other institutions and servers) by the  latest Zero-day 
exploiting Apache Log4j logging library... Does anyone know if our 
logging using Log4net  is impacted (or linked in some way to the 
libraries) or that we might be vulnerable?

here are the notes sent to those running servers by our tech team today...

>I suspect that you will have heard of the latest zero-day exploit to 
>hit the news - the Apache Log4j logging library, used by a large 
>number of both open source and proprietary software, can be easily 
>exploited to take control of vulnerable systems remotely. We are 
>already seeing a large number of probes against the systems that we 
>manage, testing for their vulnerability to this exploit. We are 
>confident that your system(s) are similarly being probed.
>
>The University has put in place some protection against this 
>vulnerability, but it is crude protection and expected to be worked 
>around fairly swiftly. The only real protection is to take 
>vulnerable systems off-line until they are patched.
>
>Identifying whether a system is vulnerable to this exploit is non 
>trivial as Log4j is commonly shipped in a JAR file with an 
>application - it is not just as simple as checking (with rpm or 
>dpkg) which version of Log4j is installed on the system.
>
>The following web-site includes a list of software which is known to 
>be affected - 
>https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/. 
>Guidance from the National Cyber Security Centre is available at :- 
>https://www.ncsc.gov.uk/news/apache-log4j-vulnerability