720-891-1663
Return to list of client alerts
Log4j is used by millions of installed software packages to capture log information. Over the last few weeks, the Apache Foundation, which distributes Log4j, has released multiple versions of the software, attempting to close bug after bug that has been found.
Companies now need to figure out whether they are running any software that uses Log4j and if so, figure out how to get it patched. Researchers say that there are tens of thousands of open source software packages that contain vulnerable versions of Log4j.
Reach back a few years to the Equifax breach, one of the largest breaches in U.S. history. That breach was directly related to a different piece of Apache software, Struts, that had a vulnerability and which Equifax did not patch, allowing the hackers in and from there to steal data on almost 150 million Americans.
This week the Federal Trade Commission released an announcement that says that companies have a duty to take reasonable steps to mitigate known vulnerabilities.
What is new is that, for the first time, the FTC says that they will use the full authority that they have under the FTC Act and Gramm-Leach-Bliley to go after companies that do not patch their software.
They not so subtlety added that Equifax paid a $700 million fine for not patching their systems effectively.
Given that the Apache Foundation has released 4 new versions of the software in the past two weeks and that we know that the Chinese and others are already exploiting companies that have not patched their systems coupled with the threat by the FTC to go after companies if they do not patch, there is some urgency.
One of the challenges for companies is that Log4j is installed in software from third parties like Cisco and VMWare, along with hundreds of other companies and also embedded in open source software – all not very visible to the average IT team.
None the less, the burden rests on your shoulders to deal with this.
The FTC press release can be found here.