The Ministry of Education has advised that a security flaw has been found in several systems used by schools and early childhood providers.
In a statement, the Ministry said the serious vulnerability had been found in a software component, called Log4j.
Log4j is a small piece of software that is used as a building block in many types of software and online services, including the ones used by schools, kura and early childhood services. Because it’s just one of the components in a piece of software, you might not know if your school uses it, the Ministry said.
“This issue affects lots of software across the internet, it isn’t specific to school software. For example, it could affect routers, management system, servers or other internet-connected software or hardware.”
“The Ministry recommends you contact your IT provider or internal IT staff if you haven’t heard from them already. Ask them to check if you use Log4j in your systems, and to apply any necessary updates. If they need further information, technical guidance is available on the CERT NZ website.
“If any of your software providers have recently asked you to update your software, we recommend you do this immediately too.”
“Because Log4j is used in lots of software, you may need to update multiple applications, services, and devices.”
The Ministry said it was also working with Network for Learning to put temporary blocks on some overseas internet traffic to make it more difficult for attackers to use this vulnerability.
“This is not a permanent measure, but it’s intended to give schools a bit of time to fix the items on their network,” it said.
“Schools who have this block in place will have been contacted by N4L, see the email they’ve sent you for more information, or contact the N4L Helpdesk on 0800 LEARNING. We will continue working with N4L to investigate, support and advise schools as the situation progresses.”
It said the vulnerability means online attackers can access the systems that use Log4j without a user’s knowledge.
“If they get into your systems they could put in their own malicious software such as viruses and malware and your school could be affected by a serious cyber incident, like a data breach or contain ransomware. It’s like having an unlocked side door into your school – someone with bad intentions could put anything in.”
If you have more questions, or need assistance getting an IT provider to help you, contact the Cyber Security in Schools team: email@example.com