Skip to main content


Repost Message will copy the article into draft mode and enable you to edit/change dates and information.
Do not change the dates of this posting because it will affect the original.

MCC Daily Tribune

Log4j Vulnerability Update

I would like to recognize our Technology Services team, who immediately responded with urgency when they found out about the newly discovered Log4j vulnerability on Friday December 10. The team worked night and day, over weekends, during their vacation days and over the holidays. They pro-actively sought vendor assessments and updates, investigated our systems to identify the many that contained the log4j vulnerability, took defensive action to isolate and mitigate Log4j when it was found, applied vendor patches as soon as they were released, and continue to scan, monitor and update systems and networks.

In addition to their work to protect the systems at MCC, Technology Services actively partnered with SUNY to mitigate the threats to enterprise applications hosted at SUNY ITEC.

  • MCC was one of the first SUNY schools to engage ITEC to apply Log4j mitigation to our Banner ERP system, successfully completing production updates over the holidays while the college was closed.
     
  • ITEC’s Blackboard Learning Management System Log4j mitigations were causing failures to student and faculty file uploads. Last week campuses were given a choice to either eliminate a layer of defense against Log4j or to accept the upload failures for 3-5 weeks until a vendor patch was ready. Technology Services worked directly with ITEC to define and implement a solution on Friday that restored the file upload functionality without relaxing security protection. ITEC plans to roll our solution out to the other campuses today. 

Kudos to the team for their ongoing persistence, innovation, and diligence as they defend against Log4j, and for their many hours of extra work to keep MCC systems and data safe. 

Background:

On Dec. 9, word started to spread of a newly discovered software vulnerability, called Log4j.  Log4j is part of the ubiquitous Java programming language, which is embedded in much of the computer code that runs modern systems and devices. By the next day, nearly every major IT vendor was in crisis mode, trying to figure out how their products were affected and how they could patch the hole. Cyber security experts say Log4j is the biggest software vulnerability of all time in terms of the number of services, sites and devices exposed. The reason it is so serious is that the vulnerability gives hackers access to the heart of whatever system they’re trying to get into, bypassing all the typical defenses software companies use to block attacks. The vulnerability also gives ransomware attackers a fresh way to break into computer networks and freeze out their owners. Overall, it’s a cybersecurity expert’s worst nightmare. Like Covid, Log4j is a bug we will be fighting for quite a while.

Eileen Wirley
Technology Services - AVP Office
01/20/2022