Log4j Critical Update

UPDATE, 12.20.2021: For the latest information on the Log4j cybersecurity threat as it emerges, please see the Cybersecurity & Infrastructure Security Agency (CISA) website.

As an update to our December 10th and December 14th posts on Log4j, please be advised that although previous alerts advised updating to Log4j version 2.15.0, or higher, version 2.15.0 has been shown to not fully remediate the vulnerability in certain no-default configurations, and a new Remote Code Execution (RCE) vulnerability has been discovered in version 2.15.0. Admins are advised to immediately update to Log4j version 2.16.0. If you used mitigation measures vs. updating, please once again review the mitigation measures from Apache as some of the preliminary recommendations were found to be insufficient.

Resources:

CISA web pages (which are being continually updated)