Getty Images

Severe Apache Log4j Vulnerabilities Could Result in Healthcare Cyberattacks

HC3 issued a sector alert regarding severe Apache Log4j vulnerabilities that could result in healthcare cyberattacks if exploited.

The Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert outlining severe vulnerabilities associated with Apache Log4j, a common Java framework, which could result in healthcare cyberattacks if exploited.

Threat actors can exploit Log4j and execute arbitrary code on a compromised system or device. Researchers first discovered the remote code execution (RCE) vulnerability in November. However, proof-of-concept exploit code has been circulating on social media recently, making the vulnerability a higher priority.

“The exact extent to which Log4j is deployed throughout the health sector is unknown. It is a common application, utilized by many enterprises and cloud applications including several large and well-known vendors,” HC3 stated.

“Therefore, it’s highly likely that the health sector is impacted by this vulnerability, and possibly to a large-scale extent. Log4j is known to be a component in many software platforms, some of which are part of cloud services.”

If exploited, threat actors can use these vulnerabilities to begin a large-scale cyberattack resulting in data exfiltration and ransomware deployment. HC3 advised that healthcare and public health organizations analyze their infrastructure to ensure that they are not running vulnerable versions of Log4j.

“Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified,” the alert urged.

Apache said in its own brief that the vulnerability, also known as Log4Shell and LogJam, applies to versions 2.0-beta up to 2.14.1.

The SANS Institute also recently released an analysis of the Log4j vulnerabilities. SANS Institute researchers recommended that organizations start by implementing the new Log4j library, version 2.15.0, which was recently released to fix the vulnerability.

“This is, of course, the best fix, but it might require recompilation and redistribution of packages,” the analysis stated. “If you are using version 2.10.0 you can set a property called formatMsgNoLookups to true to prevent lookups. This can be passed as a parameter too.”

Organizations should also practice good cyber hygiene and block any outgoing traffic that is not required.

“HC3 echoes this recommendation and implores the HPH to address infrastructure in a comprehensive and timely manner,” the alert continued.

“Upgrading is the ideal solution, but other mitigation actions listed above can be sufficient until a full upgrade becomes a viable choice.”

The Cybersecurity and Infrastructure Security Agency (CISA) created a designated website to track the Log4j vulnerabilities, in partnership with the Joint Cyber Defense Collaborative.

"CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately," CISA stated.

The agency will maintain an ongoing list of impacted products and services via a community-sourced GitHub repository. 

It is crucial that healthcare organizations remain aware of this cyber threat and prepare accordingly by prioritizing patching and conducting thorough security reviews.

Next Steps

Dig Deeper on Cybersecurity strategies