The FDA recently sent out an email alert warning of a cybersecurity vulnerability in Apache’s Log4j software library (specifically versions 2.0-beta9 to 2.14.1). Log4j is an open-source, Java-based logging utility that is used in consumer and enterprise services, websites and applications, including medical devices and supporting systems, to log security and performance information. The vulnerabilities could introduce risks for certain medical devices that would render the device unavailable. In addition, an unauthorized user could remotely control the device and potentially negatively impact its safety and effectiveness.
“These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the device functionality,” the agency stated in an email alert. “At this time, the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities.”
“As this is an ongoing and still evolving issue, we also recommend continued vigilance and response to ensure medical devices are appropriately secured,” FDA stated in the Cybersecurity section of its website.
The Cybersecurity & Infrastructure Security Agency (CISA) is urging users and administrators to review the vulnerability announcement and make any necessary upgrades or mitigations immediately.