Critical vulnerability Log4j: fact sheet available for SURF members

Thursday 9 December it was announced that there is a critical vulnerability in the Apache Log4j 2 open source tool. This vulnerability is extremely serious and poses a problem for many organisations worldwide, including SURF members. SURFcert has therefore compiled a fact sheet that members can consult in order to take specific action.
foto van schermafbeelding met daarop code

Vulnerability with major impact

The vulnerability in Apache Log4j 2 makes it possible for unauthenticated persons to remotely inject and execute arbitrary code with the rights of the web server. The Java logging tool is widely used for cloud services and enterprise apps, among other things.

Fact sheet with latest state of affairs

Since last Friday morning, SURFcert has been actively informing the SURF Community of Incident Response Teams, SCIRT, about this vulnerability. SURFcert has compiled a fact sheet listing all the information and updates it continuously. Institutions can consult it so that they are always aware of the latest situation. This fact sheet also refers to the resources of other parties with which SURFcert is in constant contact and collaboration, for example the National Cyber Security Centre (NCSC).

Stakeholders informed

In addition to SURF's security communities, other important SURF stakeholders have been informed: the Coordinating SURF Contact Persons (CSCs), the Institutional Contact Persons (ICPs), the Universities of the Netherlands, the Netherlands Association of Universities of Applied Sciences (VH), the saMBO-ICT, the Ministry of Education, Culture and Science, and the Platform for Integrated Security in Higher Education.

Vulnerability and SURF's services

SURF as a service provider also took immediate action after the vulnerability came to light. All SURF services have since been scanned for the (direct or indirect) use of log4j tooling. This turned out to be the case for a limited number of services. Where possible, these have been patched. If a patch is not yet available, measures have been taken. The log4j vulnerability has not affected the continuity of services. We will of course keep a close eye on all our services in the time ahead.

Software licences via SURF

The Procurement & Contracting department, which arranges software licences for institutions, has asked the suppliers whether there are any log4j vulnerabilities and whether any patches are available. An overview of suppliers and the measures to be taken is available. This overview will be updated regularly.