Log4jshell Vulnerability Update: What You Need to Know

On 5 Jan 2022 Monique Sendze and Susan McMillin sent out the following message about the log4jshell vulnerability.

Subject: Important-Please Read: Log4shell Vulnerability Update: What you Need to Know
Sender: Office of the CIO (ocio@mines.edu)
Date: January 5, 2022

Dear Orediggers, 

The threat from the “Log4jshell” vulnerability is ongoing and new exploits have been discovered since our holiday break. We had anticipated that we would be able to open the firewall blocks we put in place from all external connections to services that are hosted on-campus, but due to the security risk, we have made the difficult but most prudent decision to keep the blocks in place.  So, ITS will instead be taking steps to open these systems to the outside world on a case-by-case- basis after verifying that they pose no threats to the Mines network. We anticipate that we will be able to clear most business-critical systems by the start of classes on January 11th and that complete restoration may take several weeks after that.  

Services that used to be available outside of Mines, but now require the use of Global Protect VPN are:  

  • Updating your password  
  • Updating account challenge questions  
  • Some research and academic department-managed systems 

Services that do not require Global Protect VPN anymore: 

  • Accessing Trailhead 
  • Entering grades 
  • Registering for classes 
  • Checking financial aid 
  • Reviewing sick/vacation time 

To see a larger list of services that have already been reviewed, or are actively being reviewed, please visit: https://helpcenter.mines.edu/TDClient/1946/Portal/KB/ArticleDet?ID=137495 (login with your Mines username and password) 

If you manage a server or service that you would like to make accessible without the VPN, please submit a ticket through: https://helpcenter.mines.edu/TDClient/1946/Portal/Requests/ServiceDet?ID=50822 

We continue to recommend that you stay connected to the VPN when accessing other Mines-related services and to use an ITS-issued device for added security, if possible. If you need the Global Protect VPN installed on your device, please follow our published instructions here: https://helpcenter.mines.edu/TDClient/1946/Portal/KB/ArticleDet?ID=133729

If you need assistance with the VPN, please contact the Mines Help Center (MSC) at https://helpcenter.mines.edu/ or call 303-384-2345.  

This vulnerability is continuing to evolve with new associated exploits announced every few days.  We will be updating the Log4j knowledgebase (KB) article at the end of each day with the latest information regarding tools and patches.  The article can be found here: https://helpcenter.mines.edu/TDClient/1946/Portal/KB/ArticleDet?ID=137232 

We apologize for any inconvenience this causes and we thank you for doing your part to protect Mines.  

Best Regards,

Monique Sendze and Susan McMillin
——————————————-

Monique Sendze, Ed.D.                                                                                                
Chief Information Officer
Information and Technology Solutions (ITS)
303-273-3000 | msendze@mines.edu

Susan McMillin
Chief Information Security Officer
Information and Technology Solutions (ITS) 
303-384-2699 | smcmillin@mines.edu

Our values: Trust | Integrity | Respect | Responsibility