Log4shell vulnerability

A very significant security issue is making the news today. Because no vulnerability seems to be taken seriously unless it has a logo and a catchy name, this one has both.

Some more technical information is available, but in summary an attacker need only do something which causes the server to log specific data. So if a search causes the search text to be logged, then some cleverly formatted text can cause an exploit.

onCourse uses the library with the issue. While our initial review doesn’t show any vulnerability for non-logged in users, we’ve patched all our systems just in case we missed something. Upgrades to onCourse will be rolled out over the course of the day.

1 Like