CISA stresses that "significant" Log4j breaches have not yet been found in the networks of federal agencies or critical infrastructure, but that it is not yet possible to assess whether the vulnerability is present across all of these disparate systems.
Legal action may be forthcoming for organizations that do not patch Log4j. The FTC has issued an alert that references the Equifax breach (which ended in a settlement of $700 million) as a precedent.
Myths about an SBOM further exposing an organization to attack or leaking trade secrets hamper an enterprise’s security efforts around visibility and transparency into software assets that could put an entire organization at risk.