CISA Offers Guidance to Mitigate the Log4j Vulnerability and Avoid Legal Action
Log4j is a network of code packages for logging files that were designed to take data from an application and reuse it elsewhere. Disclosed in early December, a vulnerability exploited in the Log4j code allowed attackers to remotely and easily force a system to execute the code of their choice. Log4j vulnerability is one of the most serious cyber vulnerabilities discovered in recent years because the logj4 code is open source and is commonly used by programmers. Consequently, it is embedded in so many products that the breach will likely impact most Windows, Linux, and Apple iOS users and could take years to completely remediate.
To reduce the damage caused by the Log4j vulnerability, companies must take reasonable steps to mitigate known software vulnerabilities to reduce the likelihood of harm to consumers or take the risk of Federal Trade Commission (FTC) legal action. To check if your company's data may be at risk, reference the information and guidance shared by the Cybersecurity and Infrastructure Security Agency (CISA) at: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.
After reviewing the CISA information and learning if you use, the Log4j software library, it is best to update your log Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html(link is external)
Failure to take these steps will help to ensure that your company isn't violating any law. Failure to identify and patch known instances may violate the FTC Act.
If your organization needs help reviewing the CISA, guidance, Key Cyber Solutions can provide guidance to complete the process and make conduct assessments to ensure vulnerabilities are properly remediated in products and services that use affected software versions. For more information, visit Key Cyber Solutions.