Security News > 2022 > January > FTC threatens “legal action” over unpatched Log4j and other vulns
It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.
The FTC's brief but blunt warning makes an example of the infamous Equifax breach of 2017, where the US credit reporting behemoth was compromised via an unpatched Apache Struts vulnerability with the unassuming bug identifier CVE-2017-5638.
The FTC keenly reminds us that Equifax ended up paying $700 million to settle the ensuing legal actions from the FTC itself, from the US Consumer Financial Protection Bureau, and from all fifty US states.
The FTC intends to use its full legal authority to pursue companies that fail to take?reasonable?steps to protect consumer data from exposure?as a result of Log4j,?or similar known vulnerabilities in the future.
Interestingly, the Apache Struts vulnerability that caught out Equifax had many similarities with the Log4Shell security hole in Apache's Log4j logging code.
The FTC is essentially warning companies and vendors that some vulnerabilities and patches are important enough that there's no longer room for lead, follow, or get out of the way; there's room only for lead. In Naked Security's own regularly repeated words: patch early, patch often.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-11 | CVE-2017-5638 | Improper Handling of Exceptional Conditions vulnerability in multiple products The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. | 9.8 |