Third Party Risk Management

Apache Log4j Vulnerability

Apache Log4j Vulnerability

What needs to happen now? What needs to happen going forward?

Most likely you are aware of the FTC’s January 4, 2022 announcement regarding the Apache Log4j vulnerability. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

FTC warns companies to remediate Log4j security vulnerability | Federal Trade Commission

What does this mean to your institution?  It means that you are required to immediately address the Log4j vulnerability, internally and externally.  Failure to act could result in data, reputational, fiscal and/or regulatory repercussions.

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” 

What should happen now?

  • Review your internal list of applications that may use Apache. Log4j is often found in Java applications.
  • As of this writing you can find the most current patch at Log4j – Apache Log4j Security Vulnerabilities
  • Contact your vendors and request their remediation plans for addressing the Apache vulnerability.

What needs to happen in the coming weeks & months?

  • Log4j is just one of many vulnerabilities. Robust cyber-hygiene and the maintenance of proven best practices are critical.
  • A thorough patch management program ensures that the latest software versions are deployed in your environment.
  • Your institution’s asset inventory must be comprehensive, including all systems, servers, and versioning data.
  • A robust and cross-functional Third-Party Risk Management Program allows your institution to understand the cyber-posture of your vendors
  • Vulnerabilities impacting your organization must be monitored so your institution remains up to date, ensuring a swift and strategic response.
  • Suspicious activities should be reported to Law Enforcement

Know that the FTC has expressed a desire to further appraise open-source services and potential impacts.  Stay tuned – more to come.

Contact us today to learn more!