Last Friday, it was announced that a vulnerability had been discovered in a piece of software that is widely used around the world. The vulnerability concerns the log functionality in Apache, a web server. This log functionality is used in various applications at the AUAS and the UvA, for example in software programmed in the Java language.
The National Cyber Security Centre has observed that malicious parties are actively abusing this vulnerability. The higher education sector has also seen attacks. To prevent the AUAS and the UvA from becoming the target of such attacks, the Computer Emergency Response Team (CERT) and the ICT Services department have been taking various measures since Friday.
The Apache Log4j supplier is working hard on a solution. In the meantime, CERT and ICT Services, in collaboration with IT colleagues in the faculties and service departments, are making a complete inventory of all AUAS and UvA systems and applications in order to determine where the vulnerability exists and how to deal with it where it does. The suppliers of AUAS and UvA systems and applications are also engaged with the situation. In addition, the security measures in our network have been tightened.
Our Security Operations Centre is actively monitoring our systems and network for possible abuses of the vulnerability. There is currently no reason to believe that any misuse has taken place. There is currently no impact on the continuity of education, research or operational management at the AUAS or the UvA.
As a preventive measure, SIS is temporarily only accessible to employees using VPN, even if they are working on campus. More information about using a VPN can be found at: VPN (Accessing the UvA network) - Executive Staff and SSU - University of Amsterdam
Students temporarily do not have access to SIS. If necessary, students can access their grades via the MijnUvA app. Course registration continues through the Planner.
If you have additional questions, please contact the ICT Service desk.