Industrial control system vendors are working to close Log4j vulnerabilities in their products. SecurityWeek has a useful and interesting summary of the ways in which the companies are working on the problem. Most of the issues the companies have found are related specifically to Log4shell, but some of the other, later and lesser vulnerabilities have also been detected.
Regulators and legislators are looking for ways of preempting the next widespread vulnerability, and for the required responses and incentives (these last more stick than carrot) for organizations to do better. Defense Daily says US Senator Gary Peters (Democrat of Michigan), chairman of the Senate Homeland Security and Governmental Affairs Committee, commented yesterday that the Log4j issues show the importance of mandatory reporting requirements.
Media reaction to the US Federal Trade Commission's advisory about companies' responsibility for fixing Log4j vulnerabilities has focused on the FTC's tough line, and not-so-veiled warning that businesses would be well advised to get on with detection, remediation, and disclosure, lest they get the Equifax treatment.
Ransomware gangs have continued to exploit these vulnerabilities where they can. BleepingComputer reports that the Vietnamese cryptocurrency trading firm ONUS has declined to pay the $5 million ransom that hoods demanded in a double-extortion scheme.
You can follow the CyberWire's coverage of the Log4j story here.