RCE Vulnerability

On December 14, 2021, the HHS Office for Civil Rights (OCR) issued a warning regarding a severe vulnerability in Java logging libraries that allows unauthenticated remote code execution and access to servers. The systems affected by the vulnerability use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1, including applications and services written in Java. The RCE vulnerability is considered one of the more dangerous exploits ever discovered, affecting hundreds of millions of systems across every part of the internet.

Why You Should Be Concerned

The majority of SaaS applications use Apache Log4j, according to the Cybersecurity and Infrastructure Security Agency (CISA), “Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”

Since so many SaaS applications use Log4j, there is the potential that the vulnerability can lead to widespread healthcare cyberattacks. The Health Sector Cybersecurity Coordination Center (HC3) stated, “The exact extent to which Log4j is deployed throughout the health sector is unknown. It is a common application, utilized by many enterprises and cloud applications including several large and well-known vendors. Therefore, it’s highly likely that the health sector is impacted by this vulnerability, and possibly to a large-scale extent. Log4j is known to be a component in many software platforms, some of which are part of cloud services.”

The vulnerability affects JNDI features used in configuration, log messages, and parameters, failing to protect against attacker controlled LDAP and other JNDI related endpoints. Attackers who exploit the RCE vulnerability can control who can log messages or log message parameters, enabling them to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. According to data from cybersecurity firm Check Point, there have been more than 100 hacking attempts reported per minute as a result of the flaw.

“It’s ubiquitous. Even if you’re a developer who doesn’t use Log4j directly, you might still be running the vulnerable code because one of the open source libraries you use depends on Log4j,” Chris Eng, chief research officer at cybersecurity firm Veracode, told CNN Business. “This is the nature of software: It turtles all the way down.”

Let’s Simplify Compliance

HIPAA compliance and cybersecurity go hand-in-hand. Protect your business by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

How to Address the RCE Vulnerability

On December 13, 2021, Apache released Log4j version 2.16.0 in a security update to address what is known as the CVE-2021-45046 vulnerability. In version 2.16.0, the ability functionality that allows attackers to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled has been disabled.

CISA released guidance on how affected organizations can mitigate the vulnerability. They recommend the following:

  • Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
    • In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
    • For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
    • For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
  • Apply available patches immediately. Se