ILIAS is not affected by the currently reported security problem (CVE-2021-44228) for the library log4j, which is also used by ILIAS. The reason is that we use the older version 1.2.15 in ILIAS, which does not yet have the affected function, see also here.

However, this all-clear only applies to ILIAS itself, not to possible third-party software that is used e.g. via plugins from ILIAS. Therefore, we call on all ILIAS users to check their IT infrastructure to see whether other software is in use that uses log4j.

During the night, the responsible developer created updates for all maintained ILIAS versions (5.4, 6, 7 and trunk) and updated the log4j library to the latest and secure version 2.15.0. Many thanks to Stefan Meyer for this. All subscribers are now informed via the well-known mailing lists ilias-admins@lists.ilias.de and developer@lists.ilias.de. Those who have not yet subscribed to these mailing lists should do so immediately.

In this context, we would like to point out again that ILIAS users should always keep their installations up to date in order to benefit from all security bug fixes immediately.