Apache Log4j - Cybersecurity vulnerabilities

The Australian Cyber Security Centre (ACSC) has released an advisory with additional guidance on detection and mitigation on the vulnerability.

The TGA is aware of a critical cybersecurity vulnerability in Apache's Log4j software library, versions 2.0-beta9 through to 2.16.0. Log4j is an open-source tool used widely across a multitude of services, applications, websites, and systems, at both consumer and enterprise levels, to log system information. There is currently widespread and active malicious exploitation of this vulnerability across multiple industries.

As such, there may be risks relating to compromise or unavailability of:

• medical devices and healthcare delivery (including to cloud-based services)
• privacy of proprietary and patient information
• therapeutic goods manufacturing systems
• QMS/GMP management systems
• supply chains.

The TGA recommends and encourages healthcare delivery organisations, therapeutic goods sponsors and manufacturers to review and implement this guidance in order to mitigate and detect exploitation of this vulnerability. Additionally, the US Cybersecurity & Infrastructure Security Agency is currently maintaining a community sourced list of impacted vendors and software.

Actions that can be taken to mitigate vulnerabilities

The TGA reminds manufacturers that they must assess whether they are affected by this vulnerability, evaluate risk, and implement mitigations and remediations including providing information to users of their devices.

Further information is available in the TGA's cyber-security guidance for manufacturers and sponsors of devices that include software or electronic components.

Additional guidance is available for users of medical devices, including consumers, health professionals, and healthcare IT administrators.

Consumers can access information on medical device cyber security.

Sponsors of therapeutic goods should maintain and update their records of distribution, note customer complaints and potential or actual adverse events, and submit reportable events or information to the TGA.

Actions for manufacturers

Manufacturers should take all necessary action to address potential vulnerabilities within their systems and notify their Australian sponsor(s) of any planned actions and market action. As the vulnerability applies not just to medical devices, but also other software-based systems, manufacturers should review and take appropriate action for their websites, applications, data storage systems, digital interfaces and controls/processes (including for manufacturing and production systems). This is important to prevent unauthorised access to data or unauthorised changes to systems and controls relevant to manufacturing, quality management systems or production of therapeutic goods.

Manufacturers of therapeutic goods are advised to undertake the following at a minimum:

1. Review and identify all vulnerable software and hosts, and immediately apply the latest patches.
2. Implement appropriate detection and mitigation measures to eliminate or minimise risks. The ACSC advisory contains detection recommendations including indicators of compromise.
3. Validate and verify changes, including the application of test patches and further testing, to confirm the mitigations are effective and cause no unintended consequences for any manufactured therapeutic goods (devices, medicines, biologicals or other therapeutic goods).
4. Review and update relevant risk management documentation and procedures.
5. Provide relevant information to users on how to address the vulnerability (e.g. apply update, make particular firewall rule changes).
6. Alert the TGA, including contacting the TGA recalls team for any recall notices, customer notifications and actions to be taken.
7. Report any adverse events or information related to exploitations of the vulnerability to the TGA.

Actions for end users

End users are advised to implement the following mitigations where possible:

1. If possible, disable the JNDI Lookup class in affected systems. Advice on how to do this is available from Cloudlflare.
2. Implement network segmentation and segregation. The ACSC provides guidance on how to do so.
3. Isolate vulnerable applications from network systems to prevent lateral movement if exploitation has occurred.
4. Disable outbound connections from vulnerable hosts.

Reporting problems

Consumers and health professionals are strongly encouraged to report problems with medical devices. Your report will contribute to the TGA's monitoring of these products. For more information see the TGA Incident Reporting and Investigation Scheme (IRIS).

The TGA cannot give advice about an individual's medical condition. You are strongly encouraged to talk with a health professional if you are concerned about a possible adverse event associated with a medical device.

If you have information or suspect non-compliance in relation to therapeutic goods more broadly, you can report illegal or questionable practices online to the TGA.