Log4j Vulnerability Confirmation

Hi All,

Tufts University became aware of the log4j vulnerability (CVE-2021-44228 ) and is actively investigating and evaluating the potential impact as well as the actions need to be taken to protect against this vulnerability.
Can anyone confirm if Open OnDemand is affected (any version)? And/or any other software/services your site uses are affected so we can be aware of it as well?
Thank you!
Best,
Delilah Maloney

No version of OnDemand itself is affected. We don’t use any Java library directly.

TYSM about asking for Apps, because I thanked my lucky stars we don’t use Java and forgot all about it.

Apps could be affected, but the attack vector here is small. Matlab comes to mind, as it uses Java - though they say they’re not affected. Though we have old versions (back to 2015a) that may be.

https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab-run-time

I just did a spot check on 2015B and 2020A and they both use version 1.2.

I cannot think off of the top of my head what other common apps but I’ll let this topic know if I find any.

It’s also worth stating the attack vector here is to inject something through your app that’s listening on a port.

Now folks can’t send things to your MATLAB instance for example (it’s not exposed any ports), but they could share a .m file that does the trick. But even then, If you accept a vulnerable matlab file - There are easier ways to achieve the same result, like using the system() function directly.

1 Like

Which is a long winded way to say - No OnDemand version is affected, but it’s worth a spot check on the apps to see if they expose any ports.

1 Like

Thank you so much Jeff! This is reassuring.