SEC, FTC Issue Warning on Log4j Vulnerabilities
The U.S. Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) are sending warnings to companies that don’t address the risk from the Log4j vulnerabilities.
The FTC in particular has warned companies to remediate security vulnerabilities in Log4j, a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.
Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products and to enterprise software and web applications. This vulnerability is being widely exploited by a growing number of attackers.
The SEC noted in its spotlight box that the Cybersecurity and Infrastructure Security Agency (CISA) and its partners are responding to active, widespread exploitation of the critical remote code execution vulnerability in Apache’s Log4j software library.
“Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information,” they wrote. “An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
The FTC’s published warning also made note of Equifax, whose failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau (CFPB) and all fifty states.
“Log4j is a deeply embedded vulnerability that impacts the foundations of modern software,” explained Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services. “Software customers lack visibility into vendor exposure, while other organizations may not have the resources to properly identify and remediate the vulnerability in-house.”
He noted that several weeks after the vulnerability became public, there were well-known security vendors that still had not released a patch.
FTC Threatens Legal Action on Unpatched Log4j Vulnerabilities
The FTC, for its part, raised the possibility of legal action targeting organizations that fail to address the risk from the Log4j vulnerabilities.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” it stated in a blog post. “Failure to identify and patch instances of this software may violate the FTC Act.”
The FTC said organizations should consult the CISA guidance, which includes updating the Log4j software package to the most current version found and ensuring remedial steps are taken to ensure that the company’s practices do not violate the law.
The guidance also called for distributing this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
“The FTC’s warning is meant to create urgency within the software industry; not patching Log4j may violate the FTC Act if its exploitation leads to consumer harm, like a data breach,” McCarthy said.
He added that the warnings from the SEC and FTC indicate the government understands how valuable information systems are to business operations and the impact exploitation has on the public.
“Information sharing is key when it comes to critical vulnerabilities like Log4j,” he said. “Sometimes, the technical details get lost between IT practitioners and the board of directors; these types of warnings promote top-down remediation efforts.”
Stefano De Blasi, cyberthreat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, added that the FTC warning regarding Log4j is another testament to the severity of this set of security vulnerabilities.
“Using a risk-based approach, vulnerabilities are measured by the potential impact of their exploitation against the likelihood of it happening,” he said. “Given that Log4j impacts a wide number of services and enables remote code execution, the vulnerability represents a significant risk for numerous companies operating across almost every sector.”
De Blasi said ignoring vulnerability patch requirements and warnings by governmental agencies significantly increases organizations’ risk of being compromised.
“Patching everything immediately is not a feasible strategy for understaffed cybersecurity teams,” he said. “However, using vulnerability management and intelligence solutions can support the prioritization of remediating efforts and avoid leaving exploitable vulnerabilities unpatched.”
From his perspective, these warnings can also be an important tool to prevent leaving critical vulnerabilities unpatched.
“Reminding businesses about historical events that could have easily been prevented and that led to catastrophic damages, like the 2017 Equifax breach, can remind negligent companies of the importance of basic security hygiene practices,” De Blasi added. “Nonetheless, the extent to which these warnings result in a tangible effect on business decision-makers remains debatable, given that many other governmental bodies had previously already issued similar warnings.”
