You may have heard of a security vulnerability from December 2021 called Log4j that allows attackers to remotely gain control of a vulnerable device. You may also think this is old news and no longer an issue. Wrong. According to an April 26, 2022 report from researchers at the cybersecurity company Rezilion, there are currently over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed. That’s right – four months after the vulnerability was disclosed, a majority of affected open-source components remain unpatched and companies continue to use vulnerable versions of this tool. So, what is it anyways and do you need to take any action to mitigate the risk?
What is Log4j? Log4j is an Apache Java-based remote code execution (RCE) vulnerability that is broadly used in many popular and widely used consumer and business-related websites and applications for the purpose of tracking security and performance information.
What is the risk? The nature of the capabilities associated with the Log4j vulnerabilities leaves the door open for attackers to execute malicious code remotely – meaning bad actors can steal data, install malware, or simply take control of a system via the Internet – which presents obvious, severe risks for consumers and businesses alike.
The Log4j vulnerabilities are considered severe because Java is so ubiquitous across operational and technology platforms making it easy to exploit by malicious third parties who have the ability to use security, performance, and personal identification information to take full control of systems.
Who does it affect? The vulnerability affects Apache’s Log4j library, versions 2.0-beta9 to 2.14.1. Just to name a few, some of the more well-known software products that utilize the Java logging library include Amazon, Microsoft Azure, Cisco, ESRI, Exact, Fortinent, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware.
The Log4j security risk is so severe that the Federal Trade Commission (FTC) has issued a notice warning companies that they could be subject to legal action if they fail to remediate the Log4j vulnerability and have instructed parties to take immediate reasonable steps to patch the vulnerability. In light of this explicit notice, the FTC has made clear that they will not have sympathy for parties who fail to follow the recommended action.
The first step is to check if you use the Log4j software library by consulting the Cybersecurity and Infrastructure Security Agency (CISA) guidance – click here.
If you do use the Log4j software, take the following actions IMMEDIATELY:
- Update your Log4j software package to the most current version and confer with your vendor instructions on the same
- Consult CISA guidance to further mitigate the vulnerability
- Inform relevant third-party subsidiaries that sell products or services and end users of any products or services who may be vulnerable
You’ve heard it before – an ounce of prevention is worth a pound of cure.
Follow the FTCs recommendations and act early.
Taft’s Privacy and Data Security attorneys can assist in answering any questions or advising on how to manage and mitigate risks associated with the Log4j vulnerabilities, as well as how to properly notify and communicate with end users, third party subsidiaries, and other associated parties.