Trella Health on Mirth Connect and Log4J

Trella Health uses Mirth Connect for managing our customer on-prem solution. This article is being written as Mirth Connect will cause a Vulnerability Scan to flag the application as a Vulnerability. Read on for the reason Mirth Connect is being flagged as a Vulnerability, the mitigation steps taken by Trella Health.

There are CVE's regarding Log4J, which is a library that Mirth Connect uses. Following are the responses from the Maintainers of Mirth Connect:

Open

Also, with regards to the CVE for Log4J 1.2:

Open

What does all this mean?

In the end the formula Information Security follows is Vulnerability + Exposure = Threat. Due to how Mirth Connect is setup and configured there is no "Exposure" and therefore not "Threat".

Detailed Explanation of the Mitigation:

As can be seen the Vulnerabilities noted in these CVE's are not present within Mirth Connect. However, based on Information Security standards the fact that Mirth Connect is using an outdated version of Log4J constitutes a vulnerability. That said the way that Mirth Connect is used on-site is in a trusted zone without access from external sources. That is Mirth only sends to and does not receive from the internet. Even the management is only done via a secure connection (VPN or Screen Share). The reason this is important is that it removes "Exposure" and thereby removes the "Threat" of the outdated library Mirth Connect is using.

In summation Trella Health uses Mirth Connect for the convenience and does not open the application to the internet thereby eliminating any Exposure, which in turn removes the Threat that would be caused by any Vulnerability. That said for any customers not comfortable with this justification Trella Health will provide the queries that Mirth Connect runs to allow our Customer to generate a CSV file and deliver said file to Trella Health's SFTP server on a scheduled basis.