This article addresses a concern raised regarding a security vulnerability that impacts Apache web services. We'll explain the issue, and how it can potentially impact your office.
What's the Issue?
The Apache Software Foundation, authors of a large number of software products, created a tool by the name of Log4j (pronounced "Logforge") to essentially record how programs run. This is largely used for code auditing and to investigate bugs. It's a routine tool included in a wide variety of products for PC and Mac.
A major vulnerability in this tool was reported on December 9th, 2021. In the right circumstances, malicious actors can cause software that contains this tool to download and run scripts, leaving their host computers open to complete remote control. For technical details about this vulnerability, please see the following cybersecurity vulnerability reports.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Is MacPractice vulnerable to this exploit?
Thankfully, MacPractice itself does not utilize this tool. MacPractice does make use of the Apache HTTP server to manage both internal and external communications. However, Log4j and HTTP server are completely different projects. MacPractice also does not make use of Java in any of our underlying code.
If you process dental claims in Canada, you may make use of a Java package provided by iTrans for this purpose. We have contacted iTrans and they have confirmed that this package is not susceptible to this vulnerability.
We strongly advise that you consult an IT professional familiar with cybersecurity to review all other software installed within your organization for vulnerability.
Again, we can confirm that MacPractice is not vulnerable to this exploit. MacPractice Support can answer additional questions you may have about MacPractice, but can not provide security analysis of your organization beyond the scope of MacPractice itself.