ESD 112 Insurance Programs Risk Alert
Dear Risk Cooperative Member:

WSRMP’s Cyber Broker, Alliant Insurance Services, shared the following broadcast regarding information on the “Log4J” exploit. Given the potential impact, we wanted to share the information with our members as it refers to critical system flaws that may affect districts and would need to be addressed immediately.
On Friday (2021-12-10), a critical zero-day exploit was discovered in a popular Java library called Log4j. The library is widely adopted and used in many commercial and open-source software products as a logging framework. The vulnerability CVE-2021-44228 is critical since attackers can exploit it to execute code and grant themselves privileged access to systems.

The scope and breadth of this critical exploit are exceptionally broad and far-reaching, affecting any software, services, and components which use an affected version of Log4j. A non-exhaustive list of vulnerable software has been published and is being maintained by NCSC-NL.

As this is a severe vulnerability under active exploitation, we recommend that you act with urgency to patch and update any vulnerable instance of Log4j to Log4j-2.15.0; we expect this to be a time-consuming task due to the ubiquitous usage of the Log4j library and would advise using the NCSC-NL list as a starting point. We would additionally recommend evaluating logs for any intrusions and a review of network security.

Technical details


CVE-2021-44228 affects Log4j between versions 2.0 and 2.14.1.
If patching/upgrading isn't immediately possible you can mitigate the vulnerability:
  • For version >=2.10: set log4j2.formatMsgNoLookups to true
  • For releases from 2.0 to 2.10.0: you may want to remove the LDAP class from log4j completely by issuing the following command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • For certain JVM Versions, it is possible to set com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false to mitigate the vulnerability. Some JVM versions already have this as default setting
You may check for exploitation attempts in your logs using the following:
  • Web server Linux/Unix command - sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log/
  • Searching network logs for - jndi:ldap or /Basic/Command/Base64/
If you have any questions about this alert, please contact Trista Greenwood at trista.greenwood@esd112.org.
www.esd112.org/insurance
logo-insurance-white
If you are having trouble viewing this email, view it in your browser.
Unsubscribe | Manage subscription 
Educational Service District 112 | 2500 NE 65th Avenue, Vancouver, WA 98661