Critical vulnerability Log4j: fact sheet available for SURF members
Vulnerability with major impact
The vulnerability in Apache Log4j 2 makes it possible for unauthenticated persons to remotely inject and execute arbitrary code with the rights of the web server. The Java logging tool is widely used for cloud services and enterprise apps, among other things.
Fact sheet with latest state of affairs
Since last Friday morning, SURFcert has been actively informing the SURF Community of Incident Response Teams, SCIRT, about this vulnerability. SURFcert has compiled a fact sheet listing all the information and updates it continuously. Institutions can consult it so that they are always aware of the latest situation. This fact sheet also refers to the resources of other parties with which SURFcert is in constant contact and collaboration, for example the National Cyber Security Centre (NCSC).
In addition to SURF's security communities, other important SURF stakeholders have been informed: the Coordinating SURF Contact Persons (CSCs), the Institutional Contact Persons (ICPs), the Universities of the Netherlands, the Netherlands Association of Universities of Applied Sciences (VH), the saMBO-ICT, the Ministry of Education, Culture and Science, and the Platform for Integrated Security in Higher Education.
Vulnerability and SURF's services
SURF as a service provider also took immediate action after the vulnerability came to light. All SURF services have since been scanned for the (direct or indirect) use of log4j tooling. This turned out to be the case for a limited number of services. Where possible, these have been patched. If a patch is not yet available, measures have been taken. The log4j vulnerability has not affected the continuity of services. We will of course keep a close eye on all our services in the time ahead.
Software licences via SURF
The Procurement & Contracting department, which arranges software licences for institutions, has asked the suppliers whether there are any log4j vulnerabilities and whether any patches are available. An overview of suppliers and the measures to be taken is available. This overview will be updated regularly.