CISA says that large US Federal agencies met the risk mitigation deadlines of ED 22-02. The US FTC gives businesses a warning that they're at risk of regulatory and legal action if they're not comparably diligent in approaching the problem. And general remediation of the Log4j vulnerabilities continues to look like a long trip indeed.
Log4j Risk mitigation (and the risks are both technical and regulatory).
Almost a month into the Log4j evolutions and organizations believe they're making progress. The US Cybersecurity and Infrastructure Security Agency (CISA) reports that the big Federal agencies met its remediation deadlines, and the Federal Trade Commission (FTC) tells companies to go and do likewise. But the long slog is far from over, as JFrog's scan of Apache's Maven Central repository suggests.
CISA reports Federal agency compliance with Emergency Directive 22-02.
The US Cybersecurity and Infrastructure Security Agency (CISA) has told MeriTalk that the Federal agencies it oversees have substantially complied with Emergency Directive 22-02, which required that they take specified actions to mitigate risk by December 23rd, and that they report their status by December 28th. A CISA spokesperson said, “Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet. CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive."
This doesn't mean, of course, that the complex and very widespread risk of Log4j exploitation is now over, solved and done with. As Microsoft pointed out Monday, that's going to be a long process, and CISA's aware of that. Their spokesperson said, “CISA continues to work with each agency to drive further progress toward remediating all assets at risk.” The agency is maintaining and regularly updating a page of advice to both the public and private sectors.
The FTC outlines what it expects of businesses.
The US Federal Trade Commission (FTC) yesterday gave the businesses it regulates some direct advice on how seriously they ought to take the recently discovered Log4j vulnerabilities: "The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."
The FTC usually means business, and this case seems to be no different. The Commission's advisory includes a pointed reminder of what happened to Equifax when the credit bureau's failure to patch Apache Struts was implicated in a data breach that compromised information on some hundred-forty-seven-million individuals:
"According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future."
In addition to a warning, the FTC also offers advice on how to avoid running afoul of regulatory risk. The Commission refers businesses to CISA's Apache Log4j Vulnerability Guidance. If, after self-inspection and due diligence, a business finds itself exposed to the vulnerabilities, it should take the following steps without delay:
- "Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html(link is external)"
- "Consult CISA guidance to mitigate this vulnerability."
- "Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act."
- "Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable."
Looking forward, the FTC says that it's well aware of the supply chain issues open source software presents:
"The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies. These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy. This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security."
What JFrog found.
Researchers at JFrog have continued their scan of Apache's Maven Central code repository. Dependency scanning had uncovered the presence of Log4j vulnerabilities in, they say, about seventeen-thousand packages. But dependency scanning won't detect packages that contain Log4j within the artifacts themselves. Such use of Log4j is less common, but it's still significant: they found some four-hundred packages that directly included Log4j.