Search for:
Cybersecurity, Data and Tech

Global: Apache Log4j vulnerability prompts assessment of incident response preparedness and vendor contract review

By , and 4 Mins Read

In brief

A flaw in a widely used software threatens system security and makes companies vulnerable to cyber threats. The Apache Software Foundation released an advisory that Apache Log4j versions up to and including 2.14.1 have a defect that may allow threat actors to execute arbitrary code and deploy viruses including ransomware on that IT infrastructure. Entities that directly or indirectly leverage this software should act with haste to mitigate the risk of a data incident. These events present companies an opportunity to examine internal incident response preparedness and review the allocation of responsibilities in vendor agreements.

Contents

  1. Key takeaways
  2. In depth

Key takeaways

To assist in this inquiry, we are providing a sample list of cybersecurity questions to ask your technology service providers to assess their potential exposure to the Apache Log4j vulnerability:

  • Do you currently use or have you used the Apache Log4j open source software within your environment?
    • If yes, have you upgraded to Log4j 2.16.0?
      • If you have not upgraded to Log4j2.16.0, do you intend to do so? And is there a timeline for this upgrade?
  • Have you been formally notified of a potential impact to your systems in connection with the recently identified software vulnerability? If yes, please provide whatever details are currently available.
  • Have you evaluated the Cybersecurity and Infrastructure Security Agency Guidance and/or Apache Foundation statements on this matter? If so, what changes have you made to your IT systems as a result?
  • Have you conducted an assessment of your IT systems to identify any irregularities associated with this software vulnerability?
  • Do you have any evidence to suspect that your network may have been compromised by the Log4j vulnerability?
  • Have you checked with all subcontractors (e.g., HVAC, anti-malware provider, vulnerability scanning provider, cloud providers) that have access to your network to see if they have evaluated their own internal network to verify that they were not compromised by the Log4j vulnerability?

As additional information about this cyber crisis comes to light, it is important that all companies take appropriate action now to mitigate the potential harm that your organization may be exposed to. If you have any questions about this or any other privacy or data security law development, please do not hesitate to contact one of the authors.

In depth

Log4j, a software made available through open source, is most frequently used to collect information across corporate computer networks, websites and applications. The software is a logging utility widely used by applications and cloud services. For many years, relevant versions of Log4j have been distributed directly to users and developers, as well as to entities that have leveraged it as part of their product or service offerings. This makes it difficult to measure the breadth of the vulnerability. Github is, however, providing a regularly updated list of technology suppliers utilizing Log4j, which could be used to identify any of your vendors that may be impacted. Recent reporting indicates that many malicious actors, including those linked to China, Iran, North Korea, and Turkey are already looking to exploit Log4j.

Entities would be well-served by testing the operability of their breach response policies. In the event of a data security incident, such as a ransomware attack, you will want to have internal and external resources in place to effectively combat the threat and communicate with customers, the media, or other stakeholders. Companies can conduct tabletop exercises to evaluate the efficacy of the existing processes and make adjustments where necessary.

Entities that are not directly utilizing Log4j may still be impacted as many technology vendors have incorporated this software into their service offerings. Given this possibility, companies should assess their vendor contracts and understand the allocation of responsibility between the parties with respect to data security incidents. In particular, identifying who would bear the cost of regulatory and customer notices, enforcement actions, credit monitoring services, third-party claims and legal support.

Companies should consider communicating with technology service providers to ensure the safety of their digital assets. One option is to submit inquiries  to technology service providers to understand the risk to the vendor’s IT systems and steps that could be taken to mitigate this (see above).

Categories:
Author

Brian Hengesbaugh is Chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.

Author

Cristina G. Messerschmidt is an associate in the Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.

Author

Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.

Related Posts