Alerts | Page 12 | Information Technology | University of Pittsburgh
!

Search form

You are here

Home

Alerts

Additional Guidance Regarding the Log4j Vulnerability

Monday, December 13, 2021 - 16:30

 

As we communicated on Friday, Pitt Information Technology is aware of a zero-day, critical security vulnerability in Java logging library Log4j (CVE-2021-44228), also known as Log4shell. If successfully exploited, this vulnerability can allow unauthenticated remote code execution and access to servers. Below please find additional information and guidance about this new vulnerability.

What Is Log4j?

Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications, and email services. As a result, a wide range of software could be at risk from attempts to exploit the vulnerability. The severity of the vulnerability in such a widely used library means that organizations and technology vendors are being urged to counter the threat as soon as possible. Pitt IT has detected attackers already attempting to scan for vulnerable instances of Log4j.

What Versions of Log4j Are Affected?

Systems and services that use the Log4j Java logging library between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. Other versions that have yet to be identified may also be affected.

Log4j version 1.x is not directly vulnerable, because it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file (i.e., log4j.properties or log4j.xml). Thus, an attacker who can write to an application's Log4j configuration file can perform a remote code execution attack whenever Log4j 1.x reads its malicious configuration file.

What Mitigations Steps Should Be Taken?

  1. Pitt IT is in process of contacting enterprise service vendors to apply the recommended mitigations immediately to address the critical vulnerabilities.
  2. IT Partners should also contact all application vendors for the services they support and apply the recommended mitigations as soon as possible. 
    1. View a list of vendor updates related to the Log4j vulnerability…

Does the SLF4J API Mitigate the Vulnerability?

No. Using Log4j 2.x via the SLF4J Application Programming Interface does not mitigate the vulnerability. However, as mentioned previously, Log4j version 1.x is safe with respect to this vulnerability. Therefore, if your SLF4J provider/binding is slf4j-logj12.jar, you are not affected by this vulnerability.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

Vulnerability in Apache Log4j Could Allow for Remote Code Execution

Friday, December 10, 2021 - 14:48

 

Pitt Information Technology is aware of a new critical vulnerability in Apache Log4j, a commonly used logging package for Java. An attacker who successfully exploits the vulnerability could execute remote code within the context of the systems and services that use the Java logging library, including many services and applications written in Java.

Pitt IT is not aware of the vulnerability being exploited at the University, but it is being actively exploited elsewhere. We recommend that units with devices running Apache take the following actions:

  • Apply the latest patches (version 2.15.0) provided by Apache after appropriate testing
  • Run all systems and services as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the Principle of Least Privilege to all systems and services

Additional details are available from the SANS Technology Institute. Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

Guidance Regarding Box Permission Levels

Thursday, December 2, 2021 - 11:42

 

Two Box permission levels―Uploader and Preview Uploader―will be no longer be available effective Tuesday, Jan. 4, 2022.

These Box permission levels are sometimes used to allow multiple collaborators to upload files to a shared folder. The folder’s owner can view files uploaded by all collaborators, but collaborators can view only the files they themselves have uploaded.

While most Box permission levels have a near equivalent in OneDrive that will be utilized during the cloud storage migration, Uploader and Preview Uploader do not. The closest OneDrive permission level would allow collaborators to view and edit any uploaded files in the shared folder. Therefore, to ensure that data remains accessible only to those with whom the folder owner intends to share it, Box’s Uploader and Preview Uploader permission levels will be disabled on Jan. 4, 2022. After Jan. 4, 2022, existing collaborators will no longer have access to folders that used those permissions.  

If you use the Uploader or Preview Uploader permission levels on any of your Box folders, please consider the following alternative solutions that provide similar functionality:    

  • Use Canvas Online Assignments: Instructors who use Box permissions to enable students to submit assignments to a shared folder can replicate this functionality right within their Canvas courses using the Online Assignments option. View instructions …   
  • Upload Email Attachments to OneDrive Automatically: You can use Microsoft Power Automate to create an automated workflow that moves email file attachments you receive to a specific folder in OneDrive. View guided learning and documentation …  
  • Create a File Request: OneDrive’s File Request feature enables you to choose a folder where others can upload files using a link that you send them. Note that the uploader’s identity is not automatically captured unless they are already logged in via Pitt Passport, so this option may not be suited to certain scenarios. View instructions …

If you have questions regarding Box or OneDrive permission settings, please contact the Technology Help Desk so that we may assist you.

Updated Qualtrics Results-Reports Preview Available

Tuesday, January 4, 2022 - 13:10

 

The vendor for Online Survey System (Qualtrics) is offering a preview of its Results-Reports with an updated user experience that provides more intuitive ways to analyze, share, and consume survey results.

A redesigned Results-Reports page is accessible from the global navigation menu and offers:

Please visit the Qualtrics home and Results-Reports webpages for additional details.  In February 2022, users will be opted-in by default. A Switch back option will allow users to alternate between these new and legacy experiences for several months.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

Overnight Network Outages Scheduled for Dec. 4-5, 11-12, and 18-19

Wednesday, December 1, 2021 - 10:09

 

Pitt Information Technology will be performing maintenance on core network equipment servicing PittNet beginning at 11 p.m. on Saturday, Dec. 4, 11, and 18. Work on each of these weekends is expected to last until 4 a.m. the next morning (Sunday, Dec. 5, 12, and 19). Each outage window will consist of brief interruptions in service of 30 to 45 minutes while switches on the University network are rebooted. Connectivity to PittNet wired and Wi-Fi networks will be impacted for all devicesincluding Teams and Avaya phones—in the following building locations on the Pittsburgh campus:

Saturday, Dec. 4 – Sunday, Dec. 5

  • Allen Hall
  • Benedum Hall
  • Biomedical Science Tower (BST1)
  • Biomedical Science Tower (BST3)
  • Gardner Steel Conference Center
  • Nordenberg Hall
  • Nuclear Physics
  • Old Engineering Hall (OEH)
  • Peterson Events Center
  • Thackery Hall Sutherland Hall

Saturday, Dec. 11 – Sunday, Dec. 12

  • Cathedral of Learning
  • Crabtree Hall
  • Darragh Street Apartments
  • Fitzgerald Field House
  • Lothrop Hall
  • Olympic Sports Complex
  • Parren Hall
  • Salk Hall
  • Scaife Hall
  • Trees Hall
  • UPMC Presbyterian Hospital (via UPMC MPLS tunnels)
  • Victoria Hall

Saturday, Dec. 18 – Sunday, Dec. 19

  • Alumni Hall
  • Bakery Square
  • Barco Law Building
  • Baum Blvd
  • Bellefield Hall
  • Biotech Center
  • Bouquet Gardens
  • Bridgeside Point
  • Center Plaza
  • Clapp Hall
  • Crawford Hall
  • Forbes-Craig Apartments
  • Forbes Quad
  • Forbes Tower
  • Frick Fine Arts Building
  • Heinz Chapel
  • Hillman Library
  • Langley Hall
  • Lexington Technology Facility
  • Life Sciences Building
  • McGowan Institute
  • Mervis Hall
  • Melwood Maintenance Building
  • Music Building
  • Parkvale Building
  • Plum Lab
  • Ruskin Hall
  • Sennott Square
  • Sterling Plaza
  • Thomas Blvd.
  • Veterans Administration (VA) Pittsburgh Healthcare System

Users with systems in buildings affected by this maintenance schedule are advised to close connections to network resources.

Please share this information with others in your department as appropriate and contact the Technology Help Desk at 412-624-HELP (4357) with any questions or concerns.

Reminder: CourseWeb (Blackboard Learn) to be Fully Decommissioned on December 24

Tuesday, November 30, 2021 - 13:17

 

As a reminder, Pitt Information Technology contacted all instructors to let them know that CourseWeb (Blackboard Learn) will be fully decommissioned on Friday, Dec. 24, 2021. The Blackboard Learn website will no longer be accessible to any user after this date.

Prior to decommissioning, instructors can request temporary access to the full Blackboard site and all data stored there using this form. Requests will be reviewed by system administrators on a first-come, first-serve basis. However, submitting a request to access the archive does not automatically guarantee its approval.

For more information about what happens to Blackboard data after it is decommissioned, visit the Blackboard Data Retrieval page.

As previously announced, Pitt has successfully transitioned from Blackboard Learn to Canvas as our learning management system (LMS). Find details and the latest updates at teaching.pitt.edu/canvas. Canvas also offers 24/7/365 support for all Pitt faculty, student, and staff.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

Brief Pittsburgh Campus Phone Service Interruption on November 30

Tuesday, November 23, 2021 - 09:08

 

Incoming phone calls to University of Pittsburgh telephones on the Pittsburgh campus may be briefly interrupted beginning at 9 a.m. on Tuesday, Nov. 30, as a portion of campus telephone numbers are transitioned to a new service provider.

Incoming calls to Pittsburgh campus phones may not connect if the call is placed while the phone number is being moved to the new service provider. Individual phone numbers may be unavailable for up to 15 minutes during the transition. Outgoing calls placed from Pittsburgh campus phones will not be affected.

The University of Pittsburgh Police Department will continue to be able to receive calls at 412-624-2121 from any active phone throughout the maintenance period. The University’s Emergency Notification Service will also remain operational.

Full phone service should resume by 11:30 a.m. If you experience issues receiving calls after that time, please report them to the Technology Help Desk and, when possible, include the phone number of the person who was trying to reach you and the time that they called.

Set Duo Multifactor Authentication to “Remember” You for 24 Hours

Tuesday, January 12, 2021 - 08:49

 

Multifactor Authentication at Pitt (Duo) is now even easier with the “Remember me” feature. After you have selected “Remember me,” you will not need to use Duo multifactor authentication again for 24 hours when accessing web apps through Pitt Passport, as long as you use the same browser, on the same device.

To use the feature, click the Remember me for 24 hours checkbox at the bottom of the Duo authentication screen, then select your authentication method. If the “Remember me” box does not appear, click Cancel and then you should be able to select the checkbox and proceed to authenticate.

  • Tip: Your Internet browser must allow cookies from the duosecurity.com domain to be stored on your computer in order for the feature to work.

Some services timeout in fewer than 24 hours, which will prompt you to enter your username/password on the Pitt Passport login screen to re-enter, but will not require you to accept a push from Duo.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions about this announcement.

Phishing Alert: Fake UNICEF Work-From-Home Job Opportunity Scam

Friday, November 12, 2021 - 19:24

 

Pitt Information Technology has identified an email phishing scam targeting students, faculty, and staff claiming to be soliciting applications for a work-from-home job opportunity. The scam appears to originate from a legitimate pitt.edu email address and may falsely offer part-time work with UNICEF. Scammers may attempt to convince individuals who respond to share their University credentials or provide some form of monetary payment.  

The following is a sample of a recent fraudulent email. If you receive this message (or any message similar to it), please report it as a phishing scam by forwarding the email message as an attachment to phish@pitt.edu. Detailed instructions on reporting scams are available at https://www.technology.pitt.edu/security/phishing-scams.

******************************************************************************

Subject: Re: UNICEF Job Opportunity

I am sharing job opportunity information to employees and students who might be interested in a paid UNICEF Part-Time job with a weekly pay of $500.00 (USD).

Attached is further information about the employment schedule. Kindly follow the steps in the attached document and contact Ms. Etleva Kadilli with your alternate non-official email address I.e. Gmail, Yahoo, Hotmail, etc.) For more details of employment.

Take note; this is strictly a work-from-home position.

Sincerely,

Name Removed

******************************************************************************

Pitt IT strongly recommends that you do not reply to unsolicited emails or emails from unverifiable sources. If you were not expecting to receive such an email, confirm with the sender prior to interacting with the message. If you must interact with the message, avoid clicking on links contained in such emails. These may lead to sites that contain malicious software, or sites that attempt to steal your credentials. If a link looks suspicious, you can hover over the link with your mouse to preview the URL without clicking on it.

In addition, Pitt IT recommends that all students, faculty, and staff install Antivirus and Anti-Malware (Malwarebytes) Protection. Departments can submit a help request to obtain Malwarebytes for multiple machines.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

November Microsoft Security Update

Tuesday, November 9, 2021 - 17:05

 

Microsoft Corporation has announced security updates for November that affect the following software: 

  • 3D Viewer
  • Azure
  • Azure RTOS
  • Azure Sphere
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Edge (Chromium-based) in IE Mode
  • Microsoft Exchange Server
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Windows
  • Microsoft Windows Codecs Library
  • Power BI
  • Role: Windows Hyper-V
  • Visual Studio
  • Visual Studio Code
  • Windows Active Directory
  • Windows COM
  • Windows Core Shell
  • Windows Cred SSProvider Protocol
  • Windows Defender
  • Windows Desktop Bridge
  • Windows Diagnostic Hub
  • Windows Fastfat Driver
  • Windows Feedback Hub
  • Windows Hello
  • Windows Installer
  • Windows Kernel
  • Windows NTFS
  • Windows RDP
  • Windows Scripting
  • Windows Virtual Machine Bus

Pitt Information Technology recommends that users immediately identify and install the security updates necessary to remediate these vulnerabilities by using Microsoft's Windows Update feature on their computers as soon as possible. Additional information about the updates is available on Microsoft’s Security TechCenter.

In addition, Pitt IT recommends that all students, faculty, and staff install Antivirus and Anti-Malware (Malwarebytes) Protection. Departments can submit a help request to obtain Malwarebytes for multiple machines.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.