Log4Shell vulnerabilities remain extremely relevant, almost a month after their discovery. Proof of this is the alert that the FTC (Federal Trade Commission of the United States) has just issued, which is not going all the way in calling on companies that have not already done so to apply as soon as possible. the corrective measures… under penalty of legal sanctions. As a reminder, Log4Shell includes several flaws identified in the Java logging utility Log4j, an ultra popular open source brick. On the Maven Central Repository alone, Log4j was downloaded almost 30 million times from the beginning of August to the end of November 2021.
“It is essential that the companies and their suppliers who use Log4j act now, in order to reduce the likelihood of harm to consumers and to avoid legal action by the FTC,” the American body in charge said in its recent press release. consumer protection. Just to emphasize that its threats are not to be taken lightly, the FTC recalls the sanction imposed on the credit agency Equifax which, in 2017, had not patched in time a loophole responsible for the leak of personal data from nearly 150 million people. The organization specifies to whomever will hear it that Equifax had been sentenced to a heavy fine of 700 million dollars.
Several teams of cybersecurity experts, notably from Crowdstrike and Microsoft, have detected that small-scale cybercriminals but also state actors have actively exploited Log4Shell vulnerabilities during the last weeks of 2021. Including groups from China, from Iran, North Korea and Turkey. All organizations still at risk must urgently apply the correct patches depending on the version of Log4j installed. The measurements are listed by the Apache teams on the page dedicated to Log4Shell.
–