US government will take actions against companies that don’t fix Log4j vulnerabilities in their infrastructure

In its latest report, the U.S. Federal Trade Commission (FTC) called on U.S. organizations to address the vulnerability known as Log4Shell, as those entities that do not apply the corresponding updates could face severe penalties and risk of cyberattack.

Detected in late 2021, this vulnerability tracked as CVE-2021-44228 became one of the most abused security issues recently, posing a severe risk to enterprise software and web application deployments.

The FTC believes that it is critical that public and private organizations take reasonable steps to mitigate the risk of exploitation of these flaws affecting Log4j, which is also required by existing laws such as the Federal Trade Commission Act and the Garmm Leach Bliley Act.

The Agency uses as an example the case of the credit bureau Equifax, which for a long time operated its systems while they were vulnerable to a failure in Apache Struts, which eventually led to the compromise of confidential information of more than 140 million users. Because of this, the company had to pay a fine of $700 million USD, in addition to implementing a strict security audit.

Log4Shell was the first flaw of its kind detected by experts, although unfortunately it is not the only vulnerability in Log4j; soon after, researchers detected CVE-2021-45046, a denial of service (DoS) flaw that could even lead to sensitive data breach scenarios. At least two more bugs have since been found.

This week, Microsoft warned about the detection of multiple exploitation attempts detected since the end of December, deployed by both individual threat actors and state actors: “At this juncture, customers must assume a wide availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the company concludes.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.