PHAC, StatCan websites partially offline over Log4j vulnerability

Some services and sections of the Public Health Agency (PHAC) of Canada and Statistics Canada websites have been temporarily taken offline over a software vulnerability that has caused panic around the world.

On Friday the Canadian Centre for Cyber Security (CCCS) issued an alert, saying Apache had released a security advisory highlighting a critical remote code execution vulnerability in its widely-deployed Java-based logging software Log4j.

The Apache software is used across many industries and by many governments. The flaw means criminals, spies and others could potentially gain entry to internal networks, accessing data or other sensitive information.

It also means criminals could plant malicious malware within internal networks.

A message on the Statistics Canada website says the agency has “proactively taken down some sections of our website that may be affected by this potential vulnerability as we address the situation.”

“There has not been any breach or compromise to our systems,” the post on the website notes.

CTVNews.ca reached out to Statistics Canada to determine which services have been temporarily taken offline and when the services would be restored, however, a spokesperson for the agency said no more information could be provided.

An almost identical message appears at the top of the PHAC website.

CTVNews.ca reached out to PHAC for more information, including to determine which services have been taken offline, but did not hear back by time of publication.

However, in an email to CTVNews.ca on Wednesday, the country’s Communications Security Establishment said there is “no indication” that the vulnerability has been exploited in any of the Canadian government’s services.

A spokesperson for the CSE said that after the federal government became aware of the flaw last week, government departments took certain web-based services offline as a precaution while “any potential vulnerabilities are assessed and mitigated.”

“While the government continues to operate with an abundance of caution, we have no indication that these vulnerabilities were exploited,” the email reads. “The government has robust systems and tools in place to monitor, detect and investigate potential threats and takes active measures to address and neutralize them.”

On Saturday, Minister of National Defence Anita Anand released a statement, saying the Apache vulnerability “has the potential to be used by bad actors in limited and targeted attacks.”

Anand said the CCCS was calling on organizations of “all types” to “pay attention to this critical, internet vulnerability affecting organizations across the globe.”

She said given the “critical nature” of the vulnerability and “reports of active exploitation,” the government is “urging Canadian organizations to follow recommended guidance and report any incidents to the Cyber Centre as soon as possible.”

Meanwhile, some systems taken offline temporarily have already been restored.

Last Friday, the Canada Revenue Agency took some of its systems offline.

In a statement, the agency said there was “no indication the system had been compromised, or that there has been any unauthorized access to taxpayer information because of this vulnerability.”

The agency said the services were taken offline “in order to protect taxpayer information and CRA systems against potential threats.”

By Tuesday, though, the CRA said all of its digital services had been restored.