Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Feds Warn Health Sector to Patch Apache Tomcat Flaws

Healthcare Sector Heavily Relies on Open-Source Web Server; Older Flaws Pose Risk
Feds Warn Health Sector to Patch Apache Tomcat Flaws
Image: HHS HC3

Federal authorities are alerting healthcare and public health sector entities of vulnerabilities that put Apache Tomcat at risk for attacks if left unmitigated. The healthcare sector heavily relies on the open-source web server, which is maintained by the nonprofit Apache Corp., for hosting electronic health records and an array of other systems and applications.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert Wednesday said vulnerabilities in Tomcat are constantly being discovered that can make it open to exploitation by cyberattack.

"Due to its functionality, it is usually exposed directly to the internet, making it accessible to countless threat actors," HHS HC3 said.

"It is often used for hosting EHR systems, running health information exchange systems, hosting laboratory information management systems, hosting and running custom healthcare applications, and supporting telemedicine applications, among other functions," the alert says. "Because Tomcat is so frequently deployed, it has attracted the attention of threat actors," HHS HC3 warns.

Tomcat vulnerabilities have been around for years but are often neglected by healthcare organizations, leaving those them at risk, said some experts.

"Tomcat is battle-hardened software with vast usage. It’s been a while since a major Tomcat vulnerability was announced; the HHS HC3 Tomcat alert that came out this week primarily focuses on notable historical vulnerabilities that have been published over the last five to 10 years, not recent developments," said Ryan Emmons, lead security researcher at security firm Rapid7.

"It's increasingly common for new zero-day vulnerabilities to be weaponized against organizations, but exploitation of older CVEs is still a much more common occurrence," he said.

Known vulnerabilities are frequently leveraged by threat actors in an automated fashion, he said. "For large organizations struggling with visibility of their assets, these older Tomcat vulnerabilities can persist for months or even years, driving increased risk of security incidents - particularly when the attack surface area is internet-facing."

The HHS HC3 alert lists more than a dozen "historical" vulnerabilities in Tomcat Apache that healthcare organization "should" have already patched. But if not, those vulnerabilities continue to be open to attacks.

Common historical vulnerabilities in Tomcat often involve remote code execution, information disclosure, cross-site scripting, denial of service, insecure deserialization, security misconfiguration, session fixation, and directory traversal, HHS HC3 said.

"Many threat actors are after low-hanging fruit. Forgotten Tomcat servers from 2013 on the public internet are exactly the type of thing attackers are hoping to find," Emmons said.

Most of the recent notable Tomcat vulnerabilities result in denial-of-service conditions, which result in downtime for targeted applications, he said.

"However, exploitation of more severe older code execution vulnerabilities, such as CVE-2017-12617 or CVE-2019-0232, can result in an attacker being able to run any program they want on the victim computer. From there, attackers can pillage data from the Tomcat system’s databases and attempt to move laterally into other systems on healthcare networks.

"The best way to defend Tomcat is with good security hygiene: Know your assets, patch them routinely, enforce strong passwords for Tomcat management interfaces, and limit the exposure of systems where possible," Emmons said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.