What is CVE-2021-44228 also calledLog4Shell/Log4j?

A global vulnerability has been identified with Log4j, a java-based logging utility that is used by many systems and products worldwide, including a number of Telstra Health’s digital solutions.

We responded immediately when we became aware of this issue to identify and remediate any potential impact to our solutions and the customers we support. To date, we have not identified any actual impact to our systems or the solutions we provide to our customers.

What systems are affected?

Systems and services impacted include those that use the Java logging library, Apache log4j between versions 2.0-beta9 and 2.14.1.

We are working to install patches for all Telstra Health solutions that could potentially be impacted by this vulnerability.

When we became aware of this issue, we responded to configure our Web Application Firewalls to detect and block malicious traffic relating to this vulnerability, and are blocking the IP addresses of known malicious actors. We are also conducting vulnerability scans of Telstra Health internet-facing IP addresses.

How to update or mitigate against the vulnerability?

The Apache Foundation has issued log4j version 2.15.0, which is not vulnerable to Log4Shell by default.

We are updating all of Telstra Health’s solutions that utilise Log4j to ensure they are using version 2.15.0.

We are also responding to the advice from the Australian Centre for Cyber Security in how we respond to this issue.

Has Telstra Health been impacted by CVE-2021-44228 Log4Shell/Log4j?

Like most companies around the world, Telstra Health has been reviewing its systems since we were made aware of the vulnerability and we will continue to do so.  We are also working with our suppliers and partners to ensure co-ordination and management of any mitigation, should it be required.

Next Steps

We will continue to communicate with you as this issue continues to develop and we respond to it.