FTC: Patch Log4j Now or Risk Major Fines
The Federal Trade Commission (FTC) has urged US organizations to patch the recently discovered Log4Shell vulnerability or risk facing punitive action from the agency.
The consumer protection agency said that the original CVE-2021-44228 bug found in the Java logging utility late last year is being widely exploited in the wild and poses “a severe risk to millions of consumer products,” including enterprise software and web applications.
“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss and other irreversible harms,” it continued.
“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
The FTC highlighted the case of Equifax, one of the big three credit agencies, which failed to patch a known Apache Struts flaw back in 2017, leading to the compromise of sensitive info on 147 million consumers. The firm subsequently agreed to pay $700m to settle with the agency and individual states.
“The FTC intends to use its