The vulnerability involves Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1.
The FDA said in a statement posted on December 17 that it does not know of the Log4j problems causing a medical device adverse event. However, there is still a risk that the situation could make a medical device unavailable, or an unauthorized user could remotely impact safety and effectiveness.
The Cybersecurity and Infrastructure Security Agency (CISA) agency has established a website with more information, including recommendations to address the vulnerability. The FDA encourages manufacturers to communicate with customers about the problem and coordinate with the CISA.
Said the FDA: “Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions. As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software and follow the above process to assess the device impact.”