The US Federal Trade Commission (FTC) is warning: it will prosecute companies that do not take sufficient precautions to address the vulnerability of Java Log4j logging software.
“The FTC intends to use all the legal authority at its disposal to prosecute companies that fail to take reasonable steps to protect consumer data from exposure to Log4j or other known similar vulnerabilities to the future, ”the agency said on Tuesday.
“Failure to identify and correct instances of this software may be a violation of the FTC Act. “
Essential projects, but sometimes vulnerable
The agency then cites the example of the $ 700 million fine set by Equifax in 2019 to illustrate what could happen if an organization’s customer data is exposed.
“The vulnerability of Log4j is part of a larger set of structural issues. It is one of thousands of little-known, but critically important, open source services that are used in a nearly countless variety of internet-related companies, ”the FTC says.
“These projects are often created and maintained by volunteers, who do not always have the adequate resources and personnel to respond to incidents and provide proactive maintenance, even though their projects are essential to the internet economy. “
“This global dynamic is an element that the FTC takes into account,” adds the organization, adding that it is striving to “solve the fundamental problems that endanger the safety of users”.
Realize the magnitude of the problem
Microsoft was warning that very morning with this statement that the Log4Shell issue may not be taken seriously enough: Not only do not all organizations seem to be aware of the magnitude of the problem in their environments, but we shouldn’t forget that attempts to exploit this vulnerability were high until the end of 2021.
“At this point, our customers should assume that the wide availability of exploit code and analysis capabilities is a real and present danger to their environments,” says Microsoft.
“Due to the many software and services that are impacted and given the pace of updates, it should take time to remedy the problem, which requires continuous and lasting vigilance. “
Cloudflare indicated last month that it had detected activity linked to the exploitation of this code remotely from the 1is December. Meaning the vulnerability had been known for at least nine days when it was publicly disclosed.
Source : ZDNet.com
–
