Less than a month ago, a critical vulnerability was identified in the ubiquitous, open source Log4j tool prompting swift guidance from Cybersecurity and Infrastructure Security Agency (CISA) and other security practitioners. Now, the Federal Trade Commission (FTC) has warned companies that it “intends to use its full legal authority” against any company that fails to take “reasonable steps” to protect consumers from the Log4j vulnerability.
The FTC’s release cautions that the Log4j vulnerability is being widely exploited by a growing number of attackers and poses a “severe risk” to millions of consumer products. Accordingly, the FTC urges companies to “act now” to mitigate threats from the Log4j vulnerability or “similar known vulnerabilities” or risk legal action. Unfortunately, the FTC provides no guidance on what these “similar known vulnerabilities” may be.
“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” the FTC said. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
According to the FTC, companies using Log4j should update software packages to the most current version, take steps to identify and remediate this vulnerability, and distribute information about the vulnerability to relevant third parties with consumers who may be vulnerable. The FTC also encourages companies to consult CISA’s guidance for additional mitigation steps. However, the FTC’s statement does not address the fact that many companies will not be able to update or patch their products until a vendor releases updates or provides further direction.