As companies scramble to address the newly exploited, ubiquitous Log4j vulnerability, companies' actions are now the potential source for government scrutiny. Our Privacy, Cyber & Data Security Team summarizes what the Log4j vulnerability is and how it's being exploited, the recent Federal Trade Commission admonition to take the vulnerability seriously, and published guidance from the public and private sectors on remediation steps.
- The vulnerability impacts versions 2.0 through 2.16 and can allow for DoS attacks
- The FTC calls it a "severe risk" and says it will "use its full legal authority" against companies that fail to protect consumers
- General principles and resources that can guide your analysis
Over the past month, the public and private sectors have watched with growing concern as the scope of the Log4j vulnerability has materialized. The best up-to-date intelligence on the vulnerability and recommended mitigation steps is originating from security firms and the government through the Cybersecurity and Infrastructure Security Agency (CISA). While the vulnerability itself poses significant potential risks to businesses and their products, there is now also the possibility of Federal Trade Commission (FTC) enforcement or other regulatory review of companies that do not take "reasonable steps" to address the vulnerability.
What Is the Log4j Vulnerability?
Private and public sector partners report that the Log4j vulnerability is the most (or one of the most) prolific vulnerabilities ever reported. The vulnerability is in a Java-based tool from Apache's open-source library used for parsing logs. The tool basically provides a logging system for applications to keep a running list of activities they have performed.
The vulnerability was initially believed to impact Log4j versions 2.0 to 2.14.1 as a way an attacker could engage in remote code execution (RCE). The RCE could allow the attacker to take full control over the system and then steal information, launch ransomware, or conduct other malicious activity. Now, it is also known that vulnerability may also allow for denial of service attacks and may have varying degrees of impact to versions 2.0 to 2.16.
The vulnerability is prolific because Log4j is widely used by enterprise and cloud applications and devices and the affected versions of the applications were released beginning in 2013. CISA has compiled a Github repository identifying potentially affected vendors and software and lists their status (affected, not affected, under investigation, or fixed) and whether or not a patch has been released. This list currently includes thousands of vendors and software products, and government sources indicate that the number of entities ultimately touching resources including Log4j may be in the hundreds of millions.
How Is Log4j Being Exploited?
While the vulnerability was publicly announced on December 9, 2021, the vulnerability appears to have been presented at a Black Hat conference in 2016. While the initial reports of exploitation related primarily to script kiddies finding the vulnerability and dropping bitcoin mining code on Minecraft servers, there are now also reports of follow-on activity including both nefarious criminal activity and state-sponsored actors. Security firms have reported that many existing attackers have added Log4j-related exploits to their existing malware tools and tactics and that exploitation attempts remained high through the end of 2021.
What Is the Legal or Regulatory Risk?
Any significant vulnerability, particularly one that can be exploited to deploy ransomware or potentially provide a foothold for data exfiltration, may pose potential legal and regulatory risks. But now the FTC has warned companies that it "intends to use its full legal authority" against any company that fails to take "reasonable steps" to protect consumers from the Log4j vulnerability. In a January 4, 2022 release, the FTC cautions that the Log4j vulnerability is being widely exploited by a growing number of attackers and poses a "severe risk" to millions of consumer products. The FTC urges companies to "act now" to mitigate threats from the Log4j vulnerability or "similar known vulnerabilities" or risk legal action. Unfortunately, the FTC provides no guidance on what these "similar known vulnerabilities" may be:
The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.
According to the FTC, companies using Log4j should update software packages to the most current version, take steps to identify and remediate this vulnerability, and distribute information about the vulnerability to relevant third parties with consumers who may be vulnerable. The FTC also encourages companies to consult CISA's guidance for additional mitigation steps. However, the FTC's statement does not address the fact that many companies will not be able to update or patch their products until a vendor releases updates or provides further direction, and as illustrated by the CISA Github repository, the list of products pending patches is significant.
How Can My Organization Mitigate This Vulnerability and Associated Risk?
There is no one-size-fits-all approach to the reasonable steps an organization should take to investigate and mitigate the Log4j vulnerability. However, there are general principles and resources that can guide your analysis.
- Understand your risk posture. Due to the widespread use of Log4j in both front- and backend systems and applications, it may be very difficult to identify and mitigate all the applications, servers, operational technology, and other systems using Log4j. Moreover, a company may be reliant on vendors to provide patching services when the Log4j vulnerability is built into one of their products. Nonetheless, companies should take steps to understand their possible risk exposure from this vulnerability, including by identifying where an organization is using Log4j as best as possible and the type of data that might be impacted should the vulnerability be exploited. To aid in this identification process, CISA has published lists of resources that can be used to identify uses of Log4j in a company's environment.
- Once you identify Log4j use, consider published guidance on the mitigation steps appropriate to your organization. Once Log4j is identified, both private and public sector partners recommend patching if you can (multiple updates from Apache are already available), monitoring if you are able, and segmenting any products you cannot patch so there is no outbound internet access. In addition, these sources also recommend using a web application firewall to block traffic if you cannot patch and cannot segment. More details on CISA's guidance and more-detailed technical mitigation recommendations are available here.
Ultimately, it may take months or even years to know - and mitigate - the full scope of this vulnerability. In reality, how each organization is going to be able to mitigate this vulnerability will need to be tailored to its operations because some may have lesser control or visibility over the systems that run Log4j.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.