Organisations are being warned about a flaw in open-source Java logging library which could affect a number of services.

According to the National Cyber Security Centre (NCSC), “an unauthenticated remote code execution vulnerability (CVE-2021-44228) is affecting multiple versions of the Apache Log4j 2 library”.

The post on the NCSC’s website adds that the organisation is “aware that scanning and attempted exploitation is being detected globally, including the UK”.

NHS Digital has said Log4j is used in numerous Java applications and is present in many services as a dependency in custom applications within organisations as well as a wide range of cloud services. This includes Cloudflare, Twitter, Steam, Apple i-Cloud, Amazon and others.

According to a post on NHS Digital’s website, organisations will be asked to complete a HSA Response in order to determine which pieces of software could be at risk.

NHS Digital also points to NSCS’s advice which includes installing the latest updates as soon as possible.

It adds:

  • If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
  • If you are using an affected third-party application, ensure you keep the product updated to the latest version
  • The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath

As it might not be always easy for organisations to determine which applications use Apache Log4j 2 software, NHS Digital also recommends organisations to reach out to suppliers.

This latest incident follows the 2017 WannaCry attack which devastated hospital IT systems. Just after 1pm in the afternoon of 17 May 2017, NHS Digital’s CareCERT unit sent an alert to the Department of Health and Social Care informing them that four NHS trusts had reported ransomware attacks affecting a number of hospitals.

By 4pm, the ransomware had spread to 16 trusts and it was at this point NHS England publicly declared a major cyber security incident.

It led to disruption of at least 80 out of 236 hospital trusts in England, as well as 603 primary care and affiliate NHS organisations.

A devastating report from the National Audit Office into the impact of WannaCry concluded that Britain’s health service was woefully unprepared for a cyber-attack of such scale, despite being warned of a threat as far back as 2014.

In response NHS England published its “lessons learned” report, calling for a chief information and security officer (CSIO) and dedicated cyber security lead to be appointed.