What are Log4j and Log4Shell?
Log4j is a piece of software that most computer users will never interact with, but it is present on a tremendous number of systems. It is a Java library that handles logging and reporting of application events, and it’s embedded in many Java applications because developers find it extremely useful to meet security and compliance requirements that they log application activity. The software is maintained by the Apache Software Foundation and has been around for over two decades. It’s hard to imagine a modern organization that isn’t running software that relies on this library somewhere in their technology environment.
Log4j reliably performed its job in relative obscurity until Dec. 9, 2021, when Apache announced the presence of the Log4Shell vulnerability, which posed a critical risk to the security of internet-connected systems that use Log4j. The vulnerability allows an attacker to take complete control of unpatched systems, often by sending a simple HTTP request to a web application running on that server.
Attackers were quick to exploit this vulnerability, building the exploit into widely used botnet code and compromising systems worldwide. The simplicity of the attack and its devastating consequences led to Log4Shell receiving a score of 10 under the Common Vulnerability Scoring System — the highest severity score possible under CVSS, warranting immediate attention from cybersecurity professionals.
Healthcare Organizations Should Patch Systems Now
Healthcare organizations that have not already done so should immediately scan their network for systems running vulnerable versions of Log4j and patch those systems as quickly as possible. To assist with this task, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of potentially vulnerable applications that incorporate Log4j. And the CERT Coordination Center offers a Log4j scanning tool that can check the status of specific Java applications.
There’s an added twist for organizations that discover vulnerable deployments of Log4j today. This vulnerability has been widely publicized and exploited for more than six months. That means that an organization discovering a vulnerable system that has applications exposed to the internet should assume that the system is compromised and immediately activate their incident response plans to perform a thorough investigation and response.
Technologists in healthcare organizations know that it isn’t always possible to update software used in a medical environment and, in fact, some embedded systems simply can’t be updated. In those situations, vulnerable devices should be placed on an isolated network whenever possible. CISA also offers mitigation measures that may be used to reduce the vulnerability of systems running affected versions of Log4j.
Long-Term Strategies to Address Log4j in Healthcare
Healthcare organizations that have already addressed Log4j can use this opportunity to address some of the underlying issues that allowed Log4j to become so disruptive.
There are four specific actions that organizations can take to have a dramatic impact on their ability to respond to similar incidents in the future:
- Develop an inventory of applications and components: When new vulnerabilities come out, one of the fundamental challenges that most organizations face is that they don’t know what software they run and what components that software relies upon. Organizations should develop an inventory of the software that they use and the components that software relies upon to allow them to quickly trace the use of vulnerable components. Software composition analysis tools can help with this work, peeling back layers of production applications to identify underlying components.
- Implement a strong patch management program: Most healthcare organizations today do a good job of keeping operating systems patched to current security standards. Application patching, however, often remains an elusive goal. Providers should ensure that their patch management programs cover all of the operating systems, applications and devices used in their environments, paying particular attention to those with public exposure.
- Actively manage security vulnerabilities: Cybersecurity teams at modern healthcare organizations almost always have a vulnerability scanning tool in their arsenal. However, that tool is only effective when a rigorous process ensures that those vulnerabilities are promptly resolved. Providers who have not already done so should consider integrating their vulnerability management tools with their IT service management tools to provide visibility into and tracking of remediation efforts.
- Obtain and monitor threat intelligence sources: A variety of open-source and commercial products provide insight into rapidly changing threat environments. Cybersecurity teams should actively monitor several diverse sources of threat intelligence to identify potential threats to their operations.
The cybersecurity community is on the tail end of the Log4j vulnerability. We’ve patched most of our systems and restored services that depended on vulnerable components.
Now is the time to get your house in order and ensure that you’re better prepared for the next vulnerability before it comes down the pipe.