- The Federal Trade Commission warned companies to remediate Log4j vulnerabilities or face potential enforcement action, as threat actors have begun scanning systems and launching attacks that pose a risk to millions of consumer products, enterprise software and web applications.
- Companies are required to take "reasonable steps to mitigate known software vulnerabilities" under the Federal Trade Commission Act and the Gramm-Leach-Bliley Act, the agency said Tuesday.
- Meanwhile, traditional dependency scanning methods to check for vulnerabilities failed to detect hundreds of instances of vulnerable code in the Maven Central repository, according to a report from JFrog Security. Vulnerable applications may remain undetected, which could put organizations at undue risk to malicious threat activity.
The FTC action underscores a commitment by federal regulators to ensure a more secure environment for enterprise and consumer software, according to legal experts and industry analysts.
"Barring a massive, public breach of a large company, via exploiting this vulnerability, enforcing this warning will be a complex task," Allie Mellen, analyst, security and risk at Forrester, said via email. "However, it is another aspect of the potential impact of an exploit of this vulnerability that should give businesses pause."
The key words in the FTC warning are that companies need to "take reasonable steps," according to attorney Brenda Sharton, litigation partner and global co-chair of the privacy and cybersecurity practice at Dechert.
"It is rare for the FTC to issue such a specific warning regarding a patch, but it shows the level of seriousness with which they will meet a company that turns a blind eye to the need for this patch," Sharton said.
Companies can face a very long and detailed investigation into their practices if the FTC targets them in such an investigation, Romaine Marshall, a partner at the law firm of Armstrong Teasdale, said.
"They angle towards a business settlement, but that can be after an 18 to 24 month investigation into your systems and whether or not you have reasonable security," Marshall said.
The FTC reached a settlement for up to $700 million with Equifax in 2019, after the company failed to patch a known vulnerability in Apache Struts resulting in a breach that exposed the personal data of 147 million consumers. The Consumer Financial Protection Bureau and 50 states and territories were part of the settlement.
"We've brought a number of cases involving the lack of reasonable security, some of which involve the failure to fix known vulnerabilities, including our case against Equifax," a spokesperson for the FTC said via email.
Asked whether an actual data breach is required to take enforcement action, an official said each situation is taken on a case-by-case basis and an investigation needs to take place in order to determine whether a law has been violated.