Overview

On December 10, 2021, A critical remote command execution (RCE) vulnerability (CVE-2021-44228) was disclosed in Apache Log4j versions 2.0 to 2.14.1, a logging tool widely used globally in many consumer and enterprise apps, cloud services, and websites. Exploiting this unauthenticated remote code execution vulnerability in Apache's Log4j Java-based logging tool, depending on how the system is configured, potentially allows an attacker to download and subsequently execute a malicious payload.

References

• (CVE-2021-44228)

Effective Security Severity Level

Critical

Affected Systems

Ex Libris products are not affected by this vulnerability.

Tests and Certifications

Ex Libris products are being tested to confirm that they are not affected by this vulnerability.

Actions Taken for Hosted Systems

Ex Libris products are not affected by this vulnerability. As an added precaution, Ex Libris deployed additional protection in our cloud data centers to further protect our systems from this vulnerability.

Required Actions for On-Premises and Local Systems

Ex Libris products are not affected by this vulnerability.

For customers using Apache Log4j versions locally installed elsewhere in their environment, we recommend consulting their local security staff or in case of third party systems, follow the respective vendor's instructions.

Exploitation and Public Announcements

The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory in the context of Ex Libris products.

Record of Changes

Revision Control

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated regularly or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.