Log4Shell Vulnerability and reminder about the importance of keeping your systems updated (24 December 2021)

This page provides more information about the Log4shell security vulnerability, the steps you should take to protect your data and critical services, a link to a recording of the LOG4J Webinar and confirmation of the DSP Toolkit exception.


A recently identified security vulnerability known as Log4shell or Log4j has been identified as a significant concern to IT systems globally.  Technical information about this vulnerability has been provided on the NHS Digital website.   Large NHS organisations are responding at pace.  A high severity alert has been issued via the respond to an NHS cyber alert system.  Further alerts are likely to be issued over the coming days.

This vulnerability poses a significant threat to IT systems worldwide.  Vulnerabilities such as these are commonly used to lock access to systems, data may be stolen, deleted or encrypted.  This poses a potential risk to patient care.

Further technical details and discussion is taking place on the Cyber Associates Network portal.  The National Cyber Security Centre (NCSC) has issued guidance.  Digital social care have also issued useful guidance aimed at social care organisations.


Take home message

We expect a large number of patches and software updates to be released over the coming days and weeks.  It has never been more important to keep your systems updated with the latest patches and security updates.

NHSX also strongly encourages you to use this alert to review your continuity plans, run a data back-up, and consider purchasing cyber insurance, if you have not done any of those recently.


Further technical detail

Log4J is a logging utility used by Java applications in order to generate application logs. The utility has the functionality to inspect items that it is logging and in certain circumstances it will actually reach out to remote URLs where it finds one. This means that it's possible to poison an element of some kind that may get logged (such as the user agent field in an HTTP request) with the URL of a malicious domain and then subsequently achieve remote code execution on the affected server.

Log4J appears to be extremely widely used in Java applications and vulnerable servers have been seen all over the internet.


Incident reporting

The existence of this vulnerability in general terms does not need to be reported via the DSPT Incident Reporting tool.  If this vulnerability is exploited, impacting upon your organisation or the data your organisation holds then normal processes to report incidents to regulators should apply.

Responding to a Cyber Alert - CC-3989 Log4Shell RCE Vulnerability

An automated reminder will be going out this evening in relation to the High severity alert CC-3989 Log4Shell RCE Vulnerability.

As advised during the webinar on Tuesday 21st December, organisations should keep the alert as ‘in progress’ as we understand that remediation will take us beyond the expected 14-day remediation timeframe.

In terms of DSPT compliance, we will issue an exception in January 2022 for this high severity alert (CC-3989).

Please could organisations continue to provide updates on their status and actions taken via the respond to an NHS cyber alert portal. 

The webinar recording is on the CAN workspace, it was the second one which covered the point about DSPT and the 14-day remediation deadline, the link is here:
Webinar 14:00 - 14:45 21 Dec 2021 - Cyber Associates Network - FutureNHS Collaboration Platform