[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[AWIPS #PJI-615612]: log4j vulnerability

Hi Gyorgyi,

> Does the log4j zero day vulnerability affect EDEX and CAVE?

Thanks for reaching out and being so on top of this. We're in the process of 
typing
up a message to send out to our community.
Our version does use log4j, but a much older version of it.  
We aren't sure, yet, if CAVE machines are vulnerable but it would be best to 
limit remote
access to them, just in case.
It is possible EDEX machines could be vulnerable to attack.  We are currently 
working
on upgrading the version of log4j and testing to see if that breaks any EDEX 
functionality.
Once we've worked that out we will include it in our new release which should 
be out 
within the next two weeks.
In the interim, it might be advisable to limit EDEX access based on IP address 
or url,
if possible (and you might already be doing that).

Sorry I don't have more detailed information for you at this time.

--Shay Carter

She/Her/Hers
AWIPS Software Engineer
UCAR - Unidata

If you're interested, please feel free to fill out a survey about the support 
you receive: 
https://docs.google.com/forms/d/e/1FAIpQLSeDIkdk8qUMgq8ZdM4jhP-ubJPUOr-mJMQgxInwoAWoV5QcOw/viewform

Ticket Details
===================
Ticket ID: PJI-615612
Department: Support AWIPS
Priority: Normal
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.