Log4j Flaw Expose Company to Data & Personal Information Leakage

来源:广悦律师事务所

文章摘要
On 10 December 2021, the China National Vulnerability Database included Apache Log4j2 Remote Code Ex

On 10 December 2021, the China National Vulnerability Database included Apache Log4j2 Remote Code Execution Vulnerability (CNVD-2021-95914). The CNVD's overall rating for this vulnerability is "High Risk". Similarly, other countries have rated this vulnerability at the highest level, for example, the Swiss National Cyber Security Center (NCSC) rated it at 10 out of 10. This vulnerability can be exploited by attackers to execute code remotely without authorization. Currently, Apache has officially released a patch to fix the vulnerability. The CNVD recommends that affected users update to the latest version immediately and take precautionary measures to avoid the threat of exploit attacks.
2021年12月10日,中国国家信息安全漏洞共享平台(CNVD)收录了Apache Log4j2远程代码执行漏洞(CNVD-2021-95914)。CNVD对该漏洞的综合评级为“高危”,同样地,其他国家对该漏洞的评级亦达到最高级别,例如,瑞士国家网络安全中心(NCSC)对该漏洞的评分为10/10分。攻击者可利用该漏洞在未授权的情况下远程执行代码。目前,Apache官方已发布补丁修复该漏洞。CNVD建议受影响用户立即更新至最新版本,同时采取防范性措施避免漏洞攻击威胁。
In accordance with the Article 57 of the Personal Information Protection Law of PRC (PIPL), in the event of leakage, alteration or loss of personal information, companies being personal information handlers are obliged to take immediate mitigating measures and notify affected individuals. If personal information handlers fail to perform or fully perform obligations under PIPL, handlers and their persons directly in charge may be subject to various legal penalties, such as warning, ordering correction, fines, revocation of business licenses, or even criminal liability, etc (Article 66-71). Noticeably, PIPL provides a cause of action for violation of personal information interest by way of public interest proceedings (Article 70), and consequently, companies may face a higher risk of litigation.
根据《个人信息保护法》第57条,在发生个人信息泄漏、篡改、丢失时,企业作为个人信息处理者负有立即采取补救措施、通知受影响个人的义务。若企业作为个人信息处理者未能履行或完全履行PIPL所规定的义务,相关企业及直接负责的主管人员将可能受到不同程度的处罚,如警告、责令改正、罚款、吊销营业执照、刑事责任等(第66-71条)。值得注意的是,PIPL将个人信息纳入可提起公益诉讼的范畴(第70条),企业可能面临的诉讼风险极大程度提高。
We recommend that companies in China conduct self-examination on the internet and computer system as soon as possible, and take remedial measures and notify affected individuals if the company is found to be affected by this vulnerability and cause personal information leakage, alternation and loss. The contents of the notification should include the type of information, cause, potential harm, mitigation measures, and contact details of the personal information handler (Article 57, PIPL).
我们建议在华企业尽快对其计算机及网络系统进行自查。若发现受此漏洞影响并造成个人信息泄漏,篡改及丢失,需及时采取补救措施并通知受影响的个人。通知的内容应包括发生或可能发生个人信息泄漏、篡改、丢失的信息种类、原因、潜在危害、减轻危害的措施以及个人信息处理者的联系方式(PIPL第57条)。
If this attack has or may cause your company or your vendors’ data and/or personal information leakage, loss or unauthorized access, please feel free to contact us to the following contact information. We, at Wang Jing & GH Law Firm, have a team of experts in data protection and data security law who have extensive knowledge and experience related to similar issues, covering Chinese laws (the Cybersecurity Law, PIPL, Data Security Law, etc), EU laws (GDPR and others) and US Laws. We are always available in assisting your company in dealing with data and personal information leakage crisis and assisting you in implementing a safer protection system.
若此次攻击已然或可能造成贵司或贵司客户数据和/或个人信息泄露、丢失及未经授权的访问,请随时通过下方联系方式与我司联系。广东广悦律师事务所拥有一支数据安全及数据保护的专业法律团队,他们精通中国法(《网络安全法》、《个人信息保护法》、《数据安全法》等)、欧盟法(GDPR等)以及美国法,并在类似问题上拥有丰富的处理经验。我们能随时协助贵司应对此次数据以及个人信息泄漏危机,并协助您搭建更加安全的保护系统。

技术驱动法律,专业成就未来