Apache Log4j is a widely-adopted, open source logging package for Java deployed in hundreds of millions of systems worldwide, including in software used by K12 organizations. On Dec 10, 2021 CVE-2021-44228 was published in the National Vulnerability Database. The Log4j vulnerability is TRIVIAL to exploit and rated ‘10.0 CRITICAL.’ It allows threat actors to remotely take control of affected systems. CISA is urging all organizations to assess their exposure – directly and via their vendor relationships – and take steps to mitigate the vulnerability.
The K12 Security Information Exchange (K12 SIX) – with input from its members – designed a Google Sheet to crowdsource the Log4j vulnerability status of commonly used K12 software (both in the classroom and for operations/administration). The aim is to reduce the burden on K12 IT staff with responsibility for protecting their school community from malicious exploitation of the Log4j security vulnerability. By crowdsourcing this information, K12 IT staff can more efficiently prioritize their mitigation and response efforts.
LINK: https://docs.google.com/spreadsheets/d/13b4OpI7Xl9YMG62TZWy0baYCF61wvM0fitRgF6ulq9I/edit?usp=sharing
Members of the K12 community are strongly encouraged to:
-
Use information contributed by other K12 community members to protect the school communities you serve
-
Contribute new information to the Google Sheet about the vulnerability status of K12 software you use or aware of
-
Share the resource widely within your state, regional, and local networks
The resource itself includes summary information about the Log4j vulnerability, links to other credible resources, and instructions on how to contribute to the growing body of Log4j vulnerability information.