The Australian Cyber Security Centre (ACSC) has released an advisory with additional guidance on detection and mitigation on the vulnerability.
The TGA is aware of a critical cybersecurity vulnerability in Apache’s Log4j software library, versions 2.0-beta9 through to 2.16.0. Log4j is an open-source tool used widely across a multitude of services, applications, websites, and systems, at both consumer and enterprise levels, to log system information. There is currently widespread and active malicious exploitation of this vulnerability across multiple industries.
As such, there may be risks relating to compromise or unavailability of:
- medical devices and healthcare delivery (including to cloud-based services)
- privacy of proprietary and patient information
- therapeutic goods manufacturing systems
- QMS/GMP management systems
- supply chains.
The TGA recommends and encourages healthcare delivery organisations, therapeutic goods sponsors and manufacturers to review and implement this guidance in order to mitigate and detect exploitation of this vulnerability. Additionally, the US Cybersecurity & Infrastructure Security Agency is currently maintaining a community sourced list of impacted vendors and software.
Actions that can be taken to mitigate vulnerabilities
The TGA reminds manufacturers that they must assess whether they are affected by this vulnerability, evaluate risk, and implement mitigations and remediations including providing information to users of their devices.
