Log4Shell Continues to Cause Trouble in 2022
Many of us looked to put 2021 behind us at the stroke of midnight on New Year’s Eve. However, the cybersecurity pros are still dealing with the “gift” that keeps on giving from December: The Log4Shell vulnerability.
Now the federal government is stepping in to squash the threat. The Federal Trade Commission (FTC) has issued a warning saying it will pursue legal action against any U.S. company found to have put consumer data at risk by not properly mitigating Log4Shell.
The Log4Shell vulnerability continues to pose a severe risk to millions of consumer products and enterprise applications. There also is a significant risk of data loss in a data breach made possible through the vulnerability, tracked as CVE-2021-44228. The FTC has encouraged businesses to follow guidance issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The guidance includes:
- Update your Log4j software package to the most current version
- Consult the CISA guidance to mitigate the vulnerability
- Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
- Distribute info about Log4Shell and the CISA guidance to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
There also has been a fourth flaw discovered that was reported on Dec. 28 that must be taken into consideration. According to Apache, the Apache Log4j2 versions 2.0-beta7 through 2.170 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution attack.
RCE is one of the worst cybersecurity holes possible because it usually means a cybercrook can poke an unexpected program into your computer without so much as a by-your-leave. An RCE attack might inject an untrusted app, poke a binary fragment of machine code into memory, or sneakily offer up an unwanted script file. And if the attacker succeeds, you’ll run their code unknowingly.
If you have further questions or need help with Log4Shell, give us a call. 2W Tech is a technology service provider with IT Consultants on staff that have a wide berth of experience with cybersecurity and cyber defense solutions.