You better have patched those Log4j holes or we'll see what a judge has to say – FTC The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else. In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said …
”If we had a strong privacy law on the books, Mark Zuckerberg would already be in jail for his serial lying about Facebook’s abuse of Americans’ data"
That was a great start of the year. Imagining El Zuck in jail. Hmmm.
Now, aren't you a Senator ? What's keeping you from proposing laws that tighten up privacy ?
Oh, it's your campaign donations that are in the way ?
Pity.
Maybe if the government put in place an audit function to ensure that organizations ran proper process
1. Asset management
2, Patch Management
3. Techical Refresh
4. etc...
Most large orgs do not have the tooling to identify and patch on mass because the management team have no risk related to external audit hence no need to spend money on tooling.
Governements demanding instant fix for a vuln that is 8 years old is just shows the lack of Governance. Jokers!!!!!!!!!
Rather than concentrating on rushing out and patching code, They should concentrate on why systems are vulnerable in the first place.
Firstly. The Log4J exploit works by instructing the logging engine to make a call out to a Internet server (sometimes LDAP, but usually on another port). Why are those systems being allowed to initiate an outbound connection to basically malware C&C server in the first place? It's basic security 101 that backend server such as log engines should not have direct access to the internet or at least be controlled to what they can access.
Secondly. If you are running internet facing systems they should be protected by a decent WAF Service or Application layer firewall. When the exploit kicked of I checked the logs on our WAF and the log4J attempts were already being blocked.
Did we rush to Patch our servers? (Would have been 3 times because they took 3 attempts to correct it) No. We looked at our controls, analyzed the exploit and looked at the risk posed and deduced that the risk to our systems was minimal due to the controls in place and that the proposed workaround from the vendors was acceptable until that patching can be done at the next regular maintenance window. No need for risky, untested, knee-jerk, emergency patching.
Perhaps I'm old school, but having sensible security controls in place in the first instance is better than having to firefight the next exploit.
This post has been deleted by its author
"That will go right to Facebook’s business model and hit its bottom line, which seems to be the only thing that company cares about.”
Well, yeah, but technically that is true of any American corporation because some bozos made it the law that they're not to consider anything else in their decision making. In fact, it is flat out illegal under American law for a corporation to not seek profits.
I think this is the one...
Under eBay v. Newman, “it is literally malfeasance for a corporation not to do everything it legally can to maximize its profits.”
IANAL - It boils down to "a duty to maximise shareholder value", there are varying opinions on this and the majority state that this is not a legal requirement.
Then again, corporations are people now so who knows?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
