Federal Trade Commission urged organizations to take action against Log4j (CVE-2021-44228) vulnerability. In the statement, FTC stated that it poses a severe risk to millions of consumer products to enterprise software and web applications. FTC also stated that the vulnerability is being actively exploited by a growing set of attackers.
Consult CISA guidance
FTC announced that the vulnerability can cause a breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. FTC also stated that it will use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data against attackers. Organizations can use CISA guidance to check if they use the Log4j software library. If so:
- Update the Log4j software package to the most current version found here.
- Consult CISA guidance to mitigate this vulnerability.
- Ensure remedial steps are taken to ensure that the company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
- Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
Microsoft also updated its guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Microsoft pinpointed that the component is a widely used one across many software and services and it affects not only applications but also services that use these applications. According to the statement, exploitation attempts and testing were high during the last weeks of 2021.
Microsoft also observed that attackers are adding exploits of these vulnerabilities into the existing malware kits and tactics. Organizations may be unaware of their environments are already compromised. The tech giant urged the organizations to do an additional review of their systems where the vulnerability may reside. Microsoft also stated that due to the number of software and services impacted by the vulnerability and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.
Related Stories
- Microsoft has enhanced Defender for Log4j vulnerabilities
- Apache Log4j 2.17.1 is released to fix a new flaw
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Google joining the war against Log4j exploits
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited