The Crown Commercial Service (CCS) has instructed public sector suppliers to follow guidance from the National Cyber Security Centre (NCSC) in responding to a new, potentially serious cyber threat.
It has published a statement following reports of a remote code execution vulnerability that is affecting Apache log4j products.
The NCSC said it is aware that scanning for the vulnerability has been detected in the UK and exploitation detected elsewhere.
This has prompted CCS to urge suppliers on its procurement frameworks for the public sector to ensure their products are properly evaluated and patched.
It said: “As you are no doubt aware, critical vulnerabilities in Apache’s log4j product were announced on 10 December 2021. These vulnerabilities allow an attacker to remotely exploit arbitrary code on a vulnerable server. The attack is trivial to exploit and works without the need for any authentication. It is currently being actively exploited.
“As such, HM Government is treating this issue with the utmost seriousness and has been working since the vulnerability was disclosed to protect our services.
“We expect all suppliers to HM Government to have been doing the same, following NCSC guidance and ensuring your products and services are evaluated and remediated as necessary. We recognise that this may be a multi-stage process to complete, but we expect you to be well into your remediation plans by this point (Sunday 12 December).”
It added that they should contact the NCSC with details of any affected service and government body that could have been affected.
Log4j 2 is an open source Java logging library developed by the Apache Found that is used in many applications and present in many services as a dependency. This includes enterprise applications and cloud services.
Image from iStock weerapatkiatdumrong