BLOG

A far-spanning zero-day vulnerability was exposed this week for the ubiquitous open-sourced logging utility called Log4j. Log4j is a java-based utility deployed in many implementations of the popular Apache web application platform.

Meditology is actively working with our clients and the third-party vendor population to understand the extent of deployment of Log4j and the impact and risk exposure it may create for healthcare organizations.

This blog provides a short summary of the Log4j vulnerability as well as recommendations for remediation and risk mitigation for organizations and their third-party vendors.

What is the Log4j Vulnerability?

Log4j is a java-based logging framework developed by Apache and used by many enterprise applications, web applications, and cloud-hosted applications. More specifically, Log4j is a java library that logs and keeps a record of application events that can be used for debugging, troubleshooting, security, and other purposes.

The recently discovered vulnerability is rated critical by the US Cybersecurity & Infrastructure Agency (CISA) due to the wide deployment of the popular open-sourced library coupled with the relative ease of exploitation. A specially crafted code string sent to a vulnerable server can allow attackers to gain full control over the target device and application(s).

Attackers have begun to exploit vulnerable systems and applications using Log4j and more automated and wide-spread exploits are expected in the coming days.

Affected systems and services include those that use the Java logging library, Apache Log4j between versions 2.0 and 2.15.

What is the Potential Impact to Healthcare Organizations and their Third-party Vendors?

Attackers have been actively targeting the supply chain and vendors that support critical infrastructure including healthcare over the last several years. Other successful attacks against major IT providers including SolarWinds, Microsoft, Kaseya, and others have exposed the critical dependency that healthcare organizations have on third-party vendors.

Healthcare entities have also deployed new and innovative applications developed in-house that leverage the vulnerable Log4j utility.

The exploitation of the Log4j vulnerability could allow attackers to gain full administrative control of applications that contain patient information or host or manage critical business and clinical functions for healthcare entities. This could serve as a source of data breach and a platform to launch ransomware and other malicious attacks.

The successful exploitation of Log4j vulnerabilities could also introduce potential regulatory exposure for the breach of Protected Health Information (PHI), reputational damage for breached patient information, financial loss, and operational disruption caused to system downtime and compromise.

What are Recommendations for Remediation and Risk Mitigation?

Perform a review and inventory of applications developed in-house to identify if the Log4j utility has been deployed. Leverage automated network scanning and vulnerability assessment tools to identify potentially vulnerable systems on your network. Patch to the latest version and follow other recommendations from CISA as they become updated over time.

Meditology also recommends requesting the following information, at a minimum, from third-party vendors in relation to the Log4j vulnerability (CVE-2021-44228):

1. Does your organization use the Apache Log4j logging utility and/or the Log4j Java library?
   1. If Yes, please answer question 2 below.
   2. If No, please answer the additional questions starting with question 3.
2. At any point, was your organization running a version of the Java logging library, Apache Log4j, affected by this recently disclosed vulnerability (i.e. any Log4j version prior to v2.15.0)?
   1. If yes, has your organization complied with the recommendations from CISA including patching to the latest version of Log4j?
   2. If yes, has your organization scanned your environment for Log4j instances you may not have been aware of?
   3. If yes, is your organization aware of any potential or active compromise of systems or data from external threat actors related to the Log4j vulnerability? Please describe current activities underway to mitigate the attack(s).
   4. If no, please describe the response you have taken so far and/or plan to take to reduce/eliminate the threat posed by this event including for any third- and fourth-party vendors you employ.
3. Are you aware if any of your subcontractors and/or suppliers have deployed the Log4j logging utility?
   1. Please list any impacted subcontractors or suppliers.
   2. What action(s) has your organization taken to inventory and assess subcontractors or suppliers that may have been impacted by the Log4j vulnerability?

What Additional Resources are Available to Learn More About Log4j and Supply Chain Breaches?

• US Cybersecurity & Infrastructure Security Agency (CISA) Bulletin
• Apache Vulnerability and Overview and Patching Details
• GitHub List of Systems and Vendors Impacted by Log4j
• Official Log4j CVE Details
• CORL Technologies blog: Healthcare Takes It on the Chin with Supply Chain Breaches
• Webinar Replay: SolarWinds & Securing the Supply Chain
• Podcast: Who is Responsible for Securing the Supply Chain

Meditology is continuing to monitor the situation as it unfolds and will be publishing and updating guidance as more information becomes available.