ORCID Update on Apache log4j vulnerability

[Will Simpson]

You may be aware of the recent vulnerability discovered in the widely used open source logging library Apache log4j (the exploit listed as CVE-2021-44228, and the follow up CVE-2021-45046).

We became aware of this issue at 2021-12-11 14:42 UTC and our Tech team enacted our rapid incident response protocol over the weekend to assess the impact on our systems. We determined that the ORCID Registry was among the systems that could be affected and took steps to immediately mitigate any possible threat, patching all affected servers.

In addition, our externally accessible endpoints are protected by Cloudflare, which automatically applied changes to prevent any exploitation of the vulnerability at an early stage in the event.

We have also taken action to engage with third parties and critical vendors to address potential vulnerability and ensure a secure path forward.

Due to the widespread nature of the Log4j vulnerability, our Tech team will continue to monitor for evidence of any security exploits due to Log4J and will treat its remediation as our highest priority. However at this time we are confident that our systems are safe and intact. We will provide further updates as and when we learn any new information.

Best wishes,

Will Simpson

Director of Technology, ORCID

[Will Simpson]

Further to the 2 vulnerabilities above, another was announced at the end of last week, CVE-2021-45105.

The mitigations already in place protect us against this vulnerability, so we are not affected.

Best wishes,

Will

Director of Technology, ORCID

[Will Simpson]

I did mean CVE-2021-45105, but unfortunately I linked to the wrong CVE in my previous post.

I mean that we are clear through CVE-2021-45105.

Best wishes,

Will

Director of Technology, ORCID