BLOG

A far-spanning zero-day vulnerability was exposed over the weekend for the ubiquitous open-sourced logging utility called Log4j. Log4j is a java-based utility deployed in many application implementations including popular Apache web application platforms.

CORL is actively working with our customers and vendor population to understand the extent of the deployment of Log4j in the vendor community and the impact and risk exposure it may create for our customers.

This blog provides a short summary of the Log4j vulnerability, as well as recommendations for remediation and risk mitigation for organizations and their third-party vendors.

What is the Log4j Vulnerability?

Log4j is a java-based logging framework developed by Apache and used by many enterprise applications, web applications, and cloud-hosted applications. More specifically, Log4j is a java library that logs and keeps a record of application events that can be used for debugging, troubleshooting, security, and other purposes.

The recently discovered vulnerability is rated critical by the US Cybersecurity & Infrastructure Agency (CISA) due to the wide deployment of the popular open-sourced library coupled with the relative ease of exploitation. A specially crafted code string sent to a vulnerable server can allow attackers to gain full control over the target device and application(s).

Attackers have begun to exploit vulnerable systems and applications using Log4j and more automated and widespread exploits are expected in the coming days. Some reports indicate that attackers may have started exploiting the vulnerability in botnets as early as December 1.

Affected systems and services include those that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1.

What is the Potential Impact to Healthcare Organizations and their Third-party Vendors?

Attackers have been actively targeting the supply chain and vendors that support critical infrastructure including healthcare over the last several years. Other successful attacks against major IT providers including SolarWinds, Microsoft, Kaseya, and others have exposed the critical dependency that healthcare organizations have on third-party vendors.

The exploitation of the Log4j vulnerability could allow attackers to gain full administrative control of applications that contain patient information or host or manage critical business and clinical functions for healthcare entities. This could serve as a source of data breach and a platform to launch ransomware and other malicious attacks.

The successful exploitation of Log4j vulnerabilities could also introduce potential regulatory exposure for the breach of Protected Health Information (PHI), reputational damage for breached patient information, financial loss, and operational disruption caused to system downtime and compromise.

What are Recommendations for Remediation and Risk Mitigation?

CORL recommends requesting the following information, at a minimum, from third-party vendors in relation to the Log4j vulnerability (CVE-2021-44228):

1. Does your organization use the Apache Log4j logging utility and/or the Log4j Java library?
   1. If Yes, please answer question 2 below).
   2. If No, please answer the additional questions starting with question 3.
2. At any point, was your organization running a version of the Java logging library, Apache Log4j, affected by this recently disclosed vulnerability (i.e. any Log4j version prior to v2.15.0)?
   1. If yes, has your organization complied with the recommendations from CISA including patching to the latest version of Log4j?
   2. If yes, has your organization scanned your environment for Log4j instances you may not have been aware of?
   3. If yes, is your organization aware of any potential or active compromise of systems or data from external threat actors related to the Log4j vulnerability? Please describe current activities underway to mitigate the attack(s).
   4. If no, please describe the response you have taken so far and/or plan to take to reduce/eliminate the threat posed by this event.
3. Are you aware if any of your subcontractors and/or suppliers have deployed the Log4j logging utility?
   1. Please list any impacted subcontractors or suppliers.
   2. What action(s) has your organization taken to inventory and assess subcontractors or suppliers that may have been impacted by the Log4j vulnerability?

What Additional Resources are Available to Learn More About Log4j and Supply Chain Breaches?

• US Cybersecurity & Infrastructure Security Agency (CISA) Bulletin
• Apache Vulnerability and Overview and Patching Details
• GitHub List of Systems and Vendors Impacted by Log4j
• Official Log4j CVE Details
• CORL Blog: Healthcare Takes It on the Chin with Supply Chain Breaches
• CORL Webinar Replay: SolarWinds & Securing the Supply Chain

CORL is continuing to monitor the situation as it unfolds and will be publishing and updating guidance as more information becomes available.

CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data

In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides with access to vendor risk assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

CORL’s tech-enabled managed services and next-generation exchange of vendor risk data allows healthcare entities to:

• Accelerate assessment turnaround times
• Save time, money, and resources
• Prioritize vendors for assessment and remediation
• Make informed supply chain risk decisions
• Scale vendor risk programs
• Report on vendor risk across the entire vendor portfolio
• Drive and track remediation
• Validate controls and gain assurance
• Track KPI, KRI, and SLA metrics on program performance
• Identify trends in vendor types to anticipate breaches

Contact our team here at CORL to learn more about our managed services and next-generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.