On Dec. 13, 2021, UCCS notified students and staff of a critical security vulnerability and required use of a UCCS-sponsored VPN to access its online systems through Jan. 7.
The vulnerability was a global technology security issue that allowed remote attackers to control a device that used specific versions of the Log4j library, a popular library utilized in many systems, including Amazon Market, Apple and Google cloud services.
While no one exploited CU systems, UCCS information security officer Neil Kautzner said via email that sensitive data on UCCS systems were at risk for exploitation.
According to the internet security website First.org, the Common Vulnerability Scoring System is a scoring standard of system vulnerability severity. CVSS gives the rating based on the ease of use and the potential damage a vulnerability can cause.
“Log4j effected many aspects of technology, this was why it was rated as 10/10 CVSS Score,” Kautzner said.
According to software intelligence website Dynatrace.com, “The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control.”
The Log4j vulnerability is known as a “zero-day” event, which Kautzner explained as a vulnerability that had never been seen by experts before and which attackers likely exploited before experts knew of it.
Kautzner said about 60 zero-day events have occurred in the last couple of years, but this was the most severe vulnerability in the previous five years.
UCCS responded to the event a couple of days after the vulnerability was exposed. A joint effort between the four CU campuses dedicated hundreds of hours to address the vulnerability. Since zero-day events have become more common in the last few years, Kautzner said system vendors have been diligent about putting out patches quickly for critical vulnerabilities.
UCCS sent an email to students and faculty on Dec. 13, notifying them that students would require a VPN to access many UCCS and CU systems.
In the email, they said, “UCCS utilizes University Information System (UIS) to host some of the campus services. Because of the changes that UIS and UCCS have decided to take to mitigate the Log4j vulnerability, UCCS end users will need to utilize the VPN to gain access to the services that are hosted at UIS.”
UCCS lifted the VPN requirement on Jan. 7 once the vendor released a patch fixing the vulnerability.
The VPN was an immediate fix to the exploitation problem, according to Kautzner. “As soon as we [heard] about it, then [we were] already thinking about mitigation. ‘How are we going to stop this for now? What can we do?’” Kautzner said.
The VPN made it so only credentialed users could access the system. The temporary fix worked for this specific vulnerability; however, if a future exposure is bad enough, Kautzner said UCCS could take down the system until a patch is available to protect sensitive information.
While no one can predict zero-day events, keeping up with updates is the best way to defend against these vulnerabilities.
Kautzner said, “UCCS ensures critical systems, and their applications are up to date. The best way to protect yourself from Zero Day events is to ensure that your PCs, laptops, smart phones, etc., and the apps they all use are up to date.”