Services Australia (the Agency) is aware of the reported Log4j vulnerability – otherwise known as CVE-2021-44228 or Log4Shell – and we are investigating this matter as it continues to evolve. We are also working closely with the Australian Signals Directorate and in particular the Australian Cyber Security Centre (ACSC).
As you will be aware log4j vulnerability exists in certain versions of the Log4j library used by the Agency. We have implemented internal upgrades to the latest version of Log4j libraries over the last two weeks and continue to implement upgrades in line with recommendations by ACSC.
The Agency has upgraded its digital health and aged care channels (including Medicare, PBS, AIR and Aged Care) for web services to remove the vulnerability.
The Agency is committed to moving away from ageing adaptor technology for online claiming as soon as possible. This has become increasing urgent in light of the emerging global Java vulnerability.
Client and server adaptors are not in scope for upgrades and redeployment. As you know there are many version of the adaptors and upgrading all versions and retesting products within the current resourcing and time constraints will add further pressures to developers and sites transitioning to web services.
We recommend that you transition your customers to web services as soon as possible. Where this cannot be accommodated in the short term, software developers using adaptors should seek more information and assistance from Cyber.gov.au > Log4j vulnerability – advice and mitigations:
For those developers who have not yet received their certification for web services we encourage you to book in as soon as your product is ready. The Agency is:
- making the vendor environment available (unsupported) over the holiday break,
- maintaining the additional testing support resources and working extend hours, and
- prioritising developers looking to move off adaptors onto web services.
Please note that the Online Technical Support (OTS) Software Vendor Technical Support (SVTS) team does not have any further information regarding the investigation.
Services Australia will provide further advice as it becomes available.