FTC Warns of Legal Action Against Organizations That Fail To Patch Log4j Flaw

U.S. organizations that fail to secure customer data against Log4Shell, a zero-day vulnerability in the widely-used Log4j Java logging library, could face legal repercussions, the Federal Trade Commission (FTC) has warned. From a report: In an alert this week, the consumer protection agency warned that the "serious" flaw, first discovered in December, is being exploited by a growing number of attackers and poses a "severe risk" to millions of consumer products. The public letter urges organizations to mitigate the vulnerability in order to reduce the likelihood of harm to consumers and to avoid potential legal action.

"When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss and other irreversible harms," the agency said. "The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

trickle down to the designers/programmers?

[Another Random Kiwi]

If the companies that used the Log4j library are prosecuted, will they in turn try to file a (civil) suit for damages against the designers or programmers who made the poor choices? Will failure to configure the library appropriately to avoid the problem be a defense? Inquiring minds want to know!

Re:

[DarkRookie2]

IMO:
No, unless the library in question was designed to be malicious in nature.
No, if you fail to follow the proper guideline and cannot come with a good reason as to why.

medical vendors need to let places do windows upda

[Joe_Dragon]

medical vendors need to let places do windows updates as some say must be on network and no you cant' update windows

Re:

[Entropius]

If windows didn't consistently break shit (and/or push more ads at you) when you updated, or have updates that take too damn long and can't be done in the background, then people would be less resistant to updating it.

Re:

[davidwr]

If windows didn't consistently break shit (and/or push more ads at you) when you updated, or have updates that take too damn long and can't be done in the background, then people would be less resistant to updating it.

We are talking about FDA-regulated medical devices here, not the computer at the nurse's station that's used for email. Every change needs to be looked at carefully. You don't "just install" an update on a regulated medical device just because Microsoft released it a month ago and by some miracle there are no known serious bugs in the update.

Re:

[Anne Thwacks]

If people stopped using Windows, all this would just go away.

It should be a federal offence to use Windows on a computer that contains valid information!

Re:

[Merk42]

What Operating System, completely free of any bugs and zero-days ever, do you recommend people use instead?

Re:

[sjames]

If you're waiting for perfect, you have a Looong wait ahead of you. That doesn't mean there isn't a qualitative and quantitative difference between the current choices.

Obligatory car analogy: No car can absolutely guarantee your safety in an accident, but you're better off in a Volvo than you are in a Yugo.

Re: medical vendors need to let places do windows

[drinkypoo]

What they need to do is stop.using Windows.

It ought to be the law in fact but since the feds get access to your data via Windows that will never happen

Re:

[jabuzz]

Yeah, that would make using the device in Scotland in the NHS illegal as anyone getting funding from the Scottish government must be CyberEssentials compliant which means you have to apply all critical patches within 10 days. Interestingly this was driven by a major compromise of NHS computer systems in Scotland back in 2017 by WannaCry

https://www.bbc.co.uk/news/uk-... [bbc.co.uk]

Basically you can solve this at the tender stage by putting in suitable requirements. Eventually a vendor will break and comply then the rest

Re:trickle down to the designers/programmers?

[NFN_NLN]

If the users of libraries can't hold the library creators responsible (they can't guarantee no bugs or holes), WHY would they take that liability on? Inquiring minds want to know!

https://www.gnu.org/licenses/g... [gnu.org]

"For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions."

Re:

[gweihir]

Simple: Commercial software usually effectively comes with no warranty as well, but has that hidden behind some legalese wall.

Re:

[laktech]

so don't use GPL products if they don't provide the warranty that you desire for your users!

Re:

[NFN_NLN]

You went the wrong direction. Even commercial software can't make those guarantees. Grand-parents entire premise of suing someone for an honest mistake is flawed, both in law and computing science. Commercial software *might* be better than opensource, or it might be worse but neither can make absolute warranty that there won't be bugs.

Re:

[Xenx]

Well, they could make warranty there won't be bugs. A warranty is just a promise to cover damages within the terms offered. It doesn't promise to be bug free, which is what it sounds like you're actually trying to say.

Re:

[UnknowingFool]

And what warranty coverage do you desire? In the case of commercial products, no manufacturer guarantees that their product is 100% defect free. At best there are rules and regulations to correct for defects. In this case on an open source product, there is a patch. The FTC says you should patch if you intend on using Log4i in the future. Or remove the software to avoid further vulnerabilities.

Re:

[gweihir]

Depends on the software license. Usually FOSS comes with "no warranty of any kind" and they are in the clear. Note that most COTS software (like, for example, all Microsoft stuff) comes with the same, but they try to hide that fact.

Re:trickle down to the designers/programmers?

[UnknowingFool]

If the companies that used the Log4j library are prosecuted, will they in turn try to file a (civil) suit for damages against the designers or programmers who made the poor choices? Will failure to configure the library appropriately to avoid the problem be a defense? Inquiring minds want to know!

Then those users should understand what "legal liability" means. In this case the FTC is warning companies that knowingly using a defective product after they have been warned not to use that product (without fixing the product) opens them up for legal liability. This is no different than when a consumer does not fix a car ignoring a recall by the manufacturer. If someone dies in that car, then the consumer is subject to legal liability. They could try to put the blame on the manufacturer but I doubt they would get far legally.

For example, like millions of others, my car had airbags that were recalled [wikipedia.org]. In that exact case, multiple car manufacturers were affected who used Takata airbags. Now if I ignored the recall and someone was hurt or died due to faulty airbags in my car, who would be liable? Me. In my case, it was all over the news, and I was sent a letter. Also my car dealership alerted me that a recall was pending and I should schedule an appointment for the work. I could not say that I was not notified.

Re:

[Narcocide]

They should probably all be jailed just for using Java, but it's never gonna happen.

Re: trickle down to the designers/programmers?

[jjaa]

Well NOO... it's not the librarys fault you're logging user provided input as-is.

Re:

[dowhileor]

There are plenty of standards (there's that word again) at every level of planning, languages that are developed to follow those standards that would have given any number of reasons why that library was crap. Or at least how to respond on a federal level in case of a pandemic....wait that's for covid. :/

Re:

[gweihir]

Not really, The thing that is actually crap is the Java mechanism. log4j is pretty mich a victim here. Nobody sane would have expected a simple lookup mechanism to be designed this grossly insecure.

Re:

[laktech]

and how can you fire the incompetent engineers that allowed this to happen?

Re:

[angel'o'sphere]

The thing that is actually crap is the Java mechanism. log4j is pretty mich a victim here.
Perhaps you should read a bit about the topic.

The "bug" is an explicit programming work in the log4j libraries. Has nothing at all to do with Java, the framework, or Java the language, or Java the JVM.

Re:

[UnknowingFool]

Never mind trying to help your actual customers.

And what should the FTC do? There is a patch already. They are telling people to apply the patch. They are warning of legal consequences if they do not patch.

Fix your software because the people in DC know how programs should run and can dictate everything to us.

The role of the FTC [ftc.gov]: "The FTC is a bipartisan federal agency with a unique dual mission to protect consumers and promote competition."

So basically they are doing their jobs by protecting consumers from faulty software used by companies. And you have an issue with that apparently.

Re:

[grahamsz]

I'd be interested to know if they'll push the update on consumer products. I've got a tv that's not had an update in 5 yrs, but has a JVM running on it. Same with my car's entertainment system. God knows how many phones are affected. Obviously those devices are much harder to exploit than a publicly accessible webserver, but this vulnerability is likely in lots of products released in the last 8 years and having the FTC force manufacturers to bring all those firmwares up to the latest version would a huge

Re:

[angel'o'sphere]

An App on a phone most like does not use log4j ... to where would the logs go? Who would ever read them? And how exactly would an attacker:
a) attack your phone?
b) attack an app on your phone?

Most Apps - if they use internet - can not be tricked to connect to a random server. For that you would need something like an open wifi, spoofed DNS and what else.

update your poms, build, deploy, repeat.

[Virtucon]

Oh wait, you're still on JDK 8? Nevermind.

Re:update your poms, build, deploy, repeat.

[Petersko]

"What's a pom? We don't have developers. We paid to have it made."

"Talk to the vendor? They wanted more than we could afford for a contract."

"Talk to a lawyer? The vendor went out of business a couple of years ago."

Hire another vendor? The pandemic has crippled us financially."

"Shut it off? It's our whole intake system for work."

"Learn to code? Are you out of your fucking mind?"

Re:

[Shaeun]

"What's a pom? We don't have developers. We paid to have it made."

"Talk to the vendor? They wanted more than we could afford for a contract."

"Talk to a lawyer? The vendor went out of business a couple of years ago."

Hire another vendor? The pandemic has crippled us financially."

"Shut it off? It's our whole intake system for work."

"Learn to code? Are you out of your fucking mind?"

If you can't afford to play the game, then don't play.
Sounds like a "We're going bankrupt" company to me...

Re:

[Virtucon]

... and probably with no source code escrow agreement with small vendors.

Re:

[Virtucon]

So what you're saying is the Log4J vulnerability is a jobs program?

Lawyers to the rescue?

[Tablizer]

I hope there is a trend where if corporations ignore federal warnings they are subject to big leak lawsuits.

Not the same as patching

[saywhat99]

Sadly, the language from the article states that reasonable action must be taken and that doesn't necessarily mean patch:

“The FTC intends to use its full legal authority to pursue companies that fail to takereasonablesteps to protect consumer data from exposureas a result of Log4j,or similar known vulnerabilities in the future,” the FTC said, adding that it plans to apply its legal authority to protect consumers in the cases of “similar known vulnerabilities in the future.”

What I hate about language like this is that reasonable action could be as simple as saying "we don't allow external user inputs into our systems that aren't processed for invalid values." Or it could be something like "this app is used internally only by authorized users." While it's true that those are valid risk mitigators (though the effectiveness can easily be challenged) it's not th

Re:

[dowhileor]

So, the government is supposed to patch your lame internet facing Quake server or just shut it down?

Re:

[saywhat99]

No, the government is not supposed to patch it. That responsibility belongs to the organization using the software. What I'm trying to say is that "reasonable steps to protect consumer data" is NOT the same as patching. Yes, patching could be one of the options but many times organizations just mitigate things with varying degrees of success. Once you tell the government you put a mitigator in, I bet they'll just back down and say oh well. Plus, we haven't even gotten into the part where most organizations

Re:

[UnknowingFool]

Because patching Log4j is only one thing that a company can do and the FTC probably does not want to proscribe only one course of action. Companies can turn off and uninstall log4j if they want to remove the vulnerability. Companies can use alternatives.

Non-Patch

[JBMcB]

You can mitigate the issue by shutting off the JNDI remote call in the Java runtime. From what I understand, not a lot of software uses that feature, as it's done better and more safely by various enterprise libraries. There's a library you can load into your software that does it for you. You don't need to recompile anything, as an end-user you can add the library to your runtime.

https://research.nccgroup.com/... [nccgroup.com]

Re:

[saywhat99]

You can't force a third-party application that your company uses to patch/mitigate Log4j. I get the not prescribing a course of action but some companies are going to use the software anyway, even if log4j has not been mitigated. And yes, you can alter your Java runtime and other things but that's not the point. Remove log4j from the equation and replace it with any other library and you get a giant mess. All I'm saying is it doesn't seem enforceable because companies will always say they took reasonable ac

Re:

[UnknowingFool]

The FTC says very specifically: "The duty to take reasonable steps to mitigate known software vulnerabilities implicateslaws including, among others, the Federal Trade Commission Actand the Gramm Leach Bliley Act.It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action." The FTC is not saying companies MUST patch. The FTC says companies must take action. Like I said earlier some companies can use alternati

Should be gross negligence by now

[gweihir]

For anybody that has still not patched things. There is really no other way of seeing this. Of course there will be many IT departments and many projects so dysfunctional that they simply cannot get it done. The cost of hiring "cheap" people.

Re:

[omnichad]

If this is an ancient software package or hardware device distributed with no ongoing service contract or way EOL, why should the vendor do anything at all? What if it was free / open source? I get it if you're a business using log4j internally, but it sure doesn't seem to make any exceptions at all and so probably wouldn't have any legal grounds at all.

Re:

[Mononymous]

I don't think gweihir was talking about vendors needing to patch, but users.
If you're running a public-facing service that is vulnerable to this exploit, you've already been told to stop doing it and why.

Re:

[omnichad]

Maybe they're not, but FTC doesn't seem to specify - which is problematic.

Re:

[Shaeun]

Maybe they're not, but FTC doesn't seem to specify - which is problematic.

TFA is pretty clear it's about the loss of PII due to this flaw.
if you are using log4j with PII, you should be fined if you do not fix it.

Re:Should be gross negligence by now

[dstwins]

Considering the only way to get anything done in the US is if the cost of "not doing something" is higher than actually doing something.. this action is sorely needed.

In the financial sector, and many other industries, companies run legacy/outdated systems and routinely ignore well known vulnerabilities simply because they have the luxury of passing the financial impact off to the end consumer so there is no real impact to them (other than negative press which given how much stuff goes on and how short the average american's attention span is, even that's not really much of a pain point).. So if the FTC steps in and fines the company AND makes it illegal to simply gouge the customer/end user to compensate.. Then some actual change/improvements will come about..

But until that time, its pretty much business as usual.. "Oh, that 1M fine.. sure, we will pay it, and then spread it out as 0.25c per customer per month/period"

Re:

[gweihir]

Considering the only way to get anything done in the US is if the cost of "not doing something" is higher than actually doing something.. this action is sorely needed.

Pretty much. In Europe, if somebody steals all your customer data because you have not patched log4j for too long, that could get you in pretty hot water due to the GDPR, up to and including prison time (possible but unlikely) for those responsible. In the US, it will be news for a day and then everybody will again forget about it.

Re:

[account_deleted]

Comment removed based on user account deletion

Cheap labor is still cheaper

[rsilvergun]

Then good labor. At least on a large enough scale. On a large enough scale flooding the market with cheap labor massively depresses wages allowing you to pay significantly less overall for your labor. If you're running a small or mid-sized business you don't really think this way. But if you're the CEO of a megacorp these are actual can daily considerations and a part of your job.

Everyone likes to think of a part of a CEO's job or their iron Man style visionaries. But nobody thinks about how they impact

The Other Class of Victims

[Petersko]

Owners of small to medium businesses who had the wherewithal to get a custom application done by a vendor, but not to continue to pay an ongoing eternal "maintenance contract". They may or may not have the source code... they might not have the ability to compile and run it if they do... it might need non-trivial conversion from Java 6... they may not even know yet that they're at risk. They may never know.

Note that this isn't unique to Java, even if this is a particularly awful example. I remember discover

Re:The Other Class of Victims

[Shaeun]

Owners of small to medium businesses who had the wherewithal to get a custom application done by a vendor, but not to continue to pay an ongoing eternal "maintenance contract". They may or may not have the source code... they might not have the ability to compile and run it if they do... it might need non-trivial conversion from Java 6... they may not even know yet that they're at risk. They may never know.

Note that this isn't unique to Java, even if this is a particularly awful example. I remember discovering I couldn't patch a huge security hole in a mission critical product because an open source library dependency had deprecated Solaris support a few years previous. We ended up doing a costly linux port instead. It could be done because the resources of the company were enormous. A smaller enterprise would have struggled.

It's bite the bullet or close the doors time if you are in that situation with Log4j. Open source isn't free. It still has to be maintained, and that still costs money. If you can not afford to maintain your software, you probably shouldn't be using said software. It is harsh, but it is true. Nothing is eternal, and all equipment wears. Digital assets are no different.

Re:

[Petersko]

There's an assumption here that the described owners knew they were getting something with open source components.

Since consultants and vendors are always extremely diligent in marching prospective clients through details like these and their implications, I guess we can let that slide.

Still calling it zero-day next year?

[Sigilium]

Still calling it zero-day next year?

And why don't they do this for malware?

[mark-t]

If they can fine organizations for failing to patch this kind of flaw, then they could probably fine organizations for not using or keeping their malware scanning software up to date as well, don't you think?

Don't use Java...problem solved!

[bustinbrains]

The only Java programming I do these days is a couple of little Android apps. And those are mostly glorified web apps. I hate starting Android Studio so I generally avoid launching it for 6+ months because Google decides to deprecate and obsolete everything every 2 weeks. A couple of years ago, I was about to publish a new version of one app and Android Studio updated that same day and literally broke the application that was ready to go by deprecating and removing functionality from the import libraries! Took two days to figure out how to fix the build so it would compile again. Java is awful but Android (and Google/Alphabet) is somehow much worse.

There are plenty of far better programming languages to choose from.

Use DNS

[detritus.]

FTC should provide a DNS server to query against and instruct the public to use a payload that queries it.

Good!

[esev]

Where was the FTC 5 years ago with CVE-2017-5638 and Equifax?