Security News > 2022 > January > FTC threatens “legal action” over unpatched Log4j and other vulns

FTC threatens “legal action” over unpatched Log4j and other vulns
2022-01-05 19:37

It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.

The FTC's brief but blunt warning makes an example of the infamous Equifax breach of 2017, where the US credit reporting behemoth was compromised via an unpatched Apache Struts vulnerability with the unassuming bug identifier CVE-2017-5638.

The FTC keenly reminds us that Equifax ended up paying $700 million to settle the ensuing legal actions from the FTC itself, from the US Consumer Financial Protection Bureau, and from all fifty US states.

The FTC intends to use its full legal authority to pursue companies that fail to take?reasonable?steps to protect consumer data from exposure?as a result of Log4j,?or similar known vulnerabilities in the future.

Interestingly, the Apache Struts vulnerability that caught out Equifax had many similarities with the Log4Shell security hole in Apache's Log4j logging code.

The FTC is essentially warning companies and vendors that some vulnerabilities and patches are important enough that there's no longer room for lead, follow, or get out of the way; there's room only for lead. In Naked Security's own regularly repeated words: patch early, patch often.


News URL

https://nakedsecurity.sophos.com/2022/01/05/ftc-threatens-legal-action-over-unpatched-log4j-and-other-vulns/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2017-03-11 CVE-2017-5638 Improper Handling of Exceptional Conditions vulnerability in multiple products
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
network
low complexity
apache ibm lenovo hp oracle arubanetworks netapp CWE-755
critical
9.8