The Federal Trade Commission (FTC) has urged US organizations to patch the recently discovered Log4Shell vulnerability or risk facing punitive action from the agency.
The consumer protection agency said that the original CVE-2021-44228 bug found in the Java logging utility late last year is being widely exploited in the wild and poses “a severe risk to millions of consumer products,” including enterprise software and web applications.
“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss and other irreversible harms,” it continued.
“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
The FTC highlighted the case of Equifax, one of the big three credit agencies, which failed to patch a known Apache Struts flaw back in 2017, leading to the compromise of sensitive info on 147 million consumers. The firm subsequently agreed to pay $700m to settle with the agency and individual states.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” it said.
Although Log4Shell was the first and most dangerous bug found in Log4j recently, it was followed by several more disclosures, including CVE-2021-45046, a denial of service (DoS) vulnerability subsequently found to enable information leakage and remote code execution in some environments.
This was followed in late December by DoS bug CVE-2021-45105 and arbitrary code execution flaw CVE-2021-44832.
Microsoft warned on Monday that “exploitation attempts and testing have remained high during the last weeks of December,” with commodity attackers and nation-state actors alike looking to cash in.
“At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” it added.
“Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.