Before the holidays, we warned of a critical vulnerability in a widely-used Java logging utility that could affect tens of thousands of companies. Since that original alert, multiple US and foreign government cybersecurity agencies published a joint advisory and guidance for affected organizations recommending that patches or workarounds be applied immediately to mitigate the vulnerabilities and exposure. The US Cybersecurity and Infrastructure Security Agency also ordered US federal civilian executive branch agencies to patch within days of the order.
The Federal Trade Commission has now issued a release warning all companies utilizing the Java-based Log4j to identify and remedy the reported vulnerabilities. The FTC warns that companies are obligated to “take reasonable steps to mitigate known software vulnerabilities” under various laws, including the FTC Act and the Gramm-Leach-Bliley Act, and that the Commission “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure.”
If your company has not analyzed its exposure to Log4j, it is time to do so and to deploy patches or workarounds if patches are not possible. Apache has created a full site with patches and more information. Breaches resulting from a failure to address this critical vulnerability can exposure your company to regulatory actions in addition to potential litigation.