OCR is sharing the following guidance from the Cybersecurity and Infrastructure Security Agency (CISA) about a new remote code execution vulnerability requiring immediate attention. Organizations are encouraged to review the information below and take appropriate action:
Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation
Original release date: December 10, 2021
Description: A newly discovered Severe vulnerability in Java logging libraries, Tracked as CVE-2021-44228, allows unauthenticated remote code execution and access to servers. There are reports that this is being actively exploited in the wild and that proof-of-concept code has been published.
Systems Affected: Systems and services that use the Java logging library, Apache log4j between versions 2.0 and 2.14.1 including applications and services written in Java.
Requested Action: Users are urgently encouraged to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. CISA has urged users and administrators to apply the recommended mitigations “immediately” in order to address the critical vulnerabilities. CISA has created a webpage with guidance on addressing this vulnerability.
###________________________________________________________________________________________________________ This email is being sent to you from the OCR-Privacy-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services. This is an announce-only list, a resource to distribute information about the HIPAA Privacy, Security, and Breach Notification Rules. For additional information on a wide range of topics about the HIPAA Rules, please visit https://www.hhs.gov/hipaa/index.html. Information about OCR’s civil rights authorities and responsibilities can be found at https://www.hhs.gov/civil-rights/index.html. If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint at https://www.hhs.gov/hipaa/filing-a-complaint/index.html To subscribe to or unsubscribe from the list serv, go to https://list.nih.gov/cgi-bin/wa.exe?SUBED1=OCR-PRIVACY-LIST&A=1.