Hello Unidata AWIPS users,
Late last week, security researchers revealed a security vulnerability in
some versions of the commonly-used Apache library log4J. The vulnerability
is a Remote Code Execution (RCE) exploit that allows an attacker who can
control log messages to execute arbitrary code loaded from
attacker-controlled servers. Because it allows an attacker to execute
arbitrary code on affected systems, the National Vulnerability Database
operated by the U.S. Department of Commerce’s National Institute of
Standards and Technology (which identifies the exploit as CVE-2021-44228)
lists it among the most critical class of vulnerabilities.
The National Weather Service’s Advanced Weather Interactive Processing
System (AWIPS) uses the log4J package, and it is included in Unidata’s
distribution of both EDEX and CAVE. The Unidata AWIPS team has been in
contact with NOAA's Information System Security Officer regarding this
vulnerability. Unidata’s AWIPS team has determined that it does not affect
Unidata’s AWIPS distribution.
In the best judgment of the Unidata AWIPS team this exploit does not
represent a threat to installed systems. As we continue to monitor the
situation, we will do our best to keep you informed about any actions you
should take to secure your AWIPS systems.
Please send any questions to support-awips@xxxxxxxxxxxxxxxx
All the best,
The AWIPS Development Team
--
Tiffany Meyer
AWIPS Lead Software Engineer IV
UCAR - Unidata
