Dear list members,

today we received several requests regarding CVE-2021-44228 (log4j - 0-day exploit).

According to our own analysis ILIAS and (more precisely) the ilServer is most probably NOT affected by this vulnerabilty. The java server uses the 1.x release of log4j, which seems to be NOT impacted if(!) the configuration of the application does not(!) use JNDI or JMS Appender, which is given for the ilServer.

Nevertheless the maintainer of the ilServer decided to upgrade the log4j library to the recommended version 2.15.x in all maintained ILIAS releases (still in progress).

We would like to also create awareness that other applications in your infrastructure might be impacted by CVE-2021-44228.

We always recommend to keep your ILIAS installations up-to-date. For more detailed explanations don't hesitate to contact us.

Best regards, The ILIAS Security Group

on behalf of the ILIAS e.V. and the Technical Board