Request For Information - Log4j and Spring Framework vulnerabilities
Updated: 31 May 2022
Please read and respond to this Request For Information, which is important to maintaining the security of Australia's digital health sector.
What's happened?
Recently two critical vulnerabilities in widely used software libraries have created vulnerabilities in many of the applications and devices that incorporate those software libraries. The Australian Cyber Security Centre issued alerts about critical vulnerabilities in:
- Apache Log4j2 library; and
- Spring Framework library.
See this linked PDF (202K) for further details of these vulnerabilities and their potential impacts.
Given the criticality, and widely dispersed nature, of the Log4j and the Spring Framework vulnerabilities, the Agency, as the System Operator for the My Health Record system, is writing to health software vendors and hosted service providers whose software and/or infrastructure connects to the My Health Record system, when used by healthcare organisations.
This includes:
- conformant software vendors
- repository operators and portal operators
- hosted service providers and contracted service providers
- mobile application/platform providers
What do I need to do?
As one of these stakeholder groups, we request that you please complete a very short questionnaire so we can assess whether these vulnerabilities have impacted your health related on-premise software, cloud services or systems; and whether you have notified your customers and relying parties.
We request that you inform us if your products or services currently have any of the Log4j2 or Spring Framework vulnerabilities. Please also complete the questionnaire, even if these vulnerabilities do not affect your products/systems.
Please do this by completing the short questionnaire by 14 June 2022.
https://surveys.digitalhealth.gov.au/n/2DKc1p4
Services Australia (the Agency) is aware of the reported Log4j vulnerability – otherwise known as CVE-2021-44228 or Log4Shell – and we are investigating this matter as it continues to evolve. We are also working closely with the Australian Signals Directorate and in particular the Australian Cyber Security Centre (ACSC).
As you will be aware log4j vulnerability exists in certain versions of the Log4j library used by the Agency. We have implemented internal upgrades to the latest version of Log4j libraries over the last two weeks and continue to implement upgrades in line with recommendations by ACSC.
The Agency has upgraded its digital health and aged care channels (including Medicare, PBS, AIR and Aged Care) for web services to remove the vulnerability.
The Agency is committed to moving away from ageing adaptor technology for online claiming as soon as possible. This has become increasing urgent in light of the emerging global Java vulnerability.
Client and server adaptors are not in scope for upgrades and redeployment. As you know there are many version of the adaptors and upgrading all versions and retesting products within the current resourcing and time constraints will add further pressures to developers and sites transitioning to web services.
We recommend that you transition your customers to web services as soon as possible. Where this cannot be accommodated in the short term, software developers using adaptors should seek more information and assistance from Cyber.gov.au > Log4j vulnerability – advice and mitigations:
For those developers who have not yet received their certification for web services we encourage you to book in as soon as your product is ready. The Agency is:
- making the vendor environment available (unsupported) over the holiday break,
- maintaining the additional testing support resources and working extend hours, and
- prioritising developers looking to move off adaptors onto web services.
Please note that the Online Technical Support (OTS) Software Vendor Technical Support (SVTS) team does not have any further information regarding the investigation.
Services Australia will provide further advice as it becomes available.
