Dear list members,
as written yesterday: ILIAS is not vulnerable to the current security
issue that is getting wide media coverage. But we have followed the
vendors recommendation and also the official BSI advisory and updated
the logging dependency in the ilServer to the newest available version.
The release manager and the product manager are already working on
preparing a special release out of the regular schedule and we are
confident to be able to announce that at very short notice. If you feel
you can't wait for the release to be bundled and tagged, you can already
update your installation using the "git pull" method as described in
https://docu.ilias.de/goto_docu_lm_367.html#minor-upgrade .
We always recommend to keep your ILIAS installations up-to-date. For
more detailed explanations don't hesitate to contact us.
Best regards,
The ILIAS Security Group
on behalf of the ILIAS e.V. and the Technical Board
Dear list members,
today we received several requests regarding CVE-2021-44228 (log4j -
0-day exploit).
According to our own analysis ILIAS and (more precisely) the ilServer is
most probably NOT affected by this vulnerabilty.
The java server uses the 1.x release of log4j, which seems to be NOT
impacted if(!) the configuration of the application does not(!) use JNDI
or JMS Appender, which is given for the ilServer.
Nevertheless the maintainer of the ilServer decided to upgrade the log4j
library to the recommended version 2.15.x in all maintained ILIAS
releases (still in progress).
We would like to also create awareness that other applications in your
infrastructure might be impacted by CVE-2021-44228.
We always recommend to keep your ILIAS installations up-to-date. For
more detailed explanations don't hesitate to contact us.
Best regards,
The ILIAS Security Group
on behalf of the ILIAS e.V. and the Technical Board
