Why You Should Be Concerned
The majority of SaaS applications use Apache Log4j, according to the Cybersecurity and Infrastructure Security Agency (CISA), “Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
Since so many SaaS applications use Log4j, there is the potential that the vulnerability can lead to widespread healthcare cyberattacks. The Health Sector Cybersecurity Coordination Center (HC3) stated, “The exact extent to which Log4j is deployed throughout the health sector is unknown. It is a common application, utilized by many enterprises and cloud applications including several large and well-known vendors. Therefore, it’s highly likely that the health sector is impacted by this vulnerability, and possibly to a large-scale extent. Log4j is known to be a component in many software platforms, some of which are part of cloud services.”
The vulnerability affects JNDI features used in configuration, log messages, and parameters, failing to protect against attacker controlled LDAP and other JNDI related endpoints. Attackers who exploit the RCE vulnerability can control who can log messages or log message parameters, enabling them to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. According to data from cybersecurity firm Check Point, there have been more than 100 hacking attempts reported per minute as a result of the flaw.
“It’s ubiquitous. Even if you’re a developer who doesn’t use Log4j directly, you might still be running the vulnerable code because one of the open source libraries you use depends on Log4j,” Chris Eng, chief research officer at cybersecurity firm Veracode, told CNN Business. “This is the nature of software: It turtles all the way down.”