Two years on, 1 in 4 apps still vulnerable to Log4Shell

Trending 2 months ago

Two years afterwards the Log4Shell vulnerability in the accessible antecedent Java-based Log4j logging account was disclosed, about one in four applications are abased on anachronous libraries, abrogation them accessible to exploitation.

Research from aegis boutique Veracode appear that the all-inclusive majority of accessible apps may never accept adapted the Log4j library afterwards it was implemented by developers as 32 percent were active pre-2015 EOL versions.

Prior investigations from Veracode additionally showed that 79 percent of all developers never amend third-party libraries afterwards aboriginal introducing them into projects, and accustomed that Log4j2 – the specific adaptation of Log4j afflicted by the vulnerability – dates aback to 2014, this could explain the ample admeasurement of unpatched apps.

A far abate boyhood are active versions that were accessible at the time of the Log4j vulnerability's disclosure in December 2021. Only 2.8 percent are still application versions 2.0-beta9 through 2.15.0 – post-EOL versions that abide apparent to Log4Shell, the industry-coined moniker of the vulnerability's exploit.

Some 3.8 percent are still active adaptation 2.17, a post-patch adaptation of the Java logger that's not apparent to Log4Shell attacks, but is accessible to a abstracted alien cipher beheading (RCE) bug (CVE-2021-44832).

The advisers accept this illustrates a boyhood of developers that acted bound back the vulnerability was aboriginal disclosed, as was the admonition at the time, had alternate to earlier habits of abrogation libraries untouched.

Altogether, aloof shy of 35 percent abide accessible to Log4Shell, and about 40 percent are accessible to RCE flaws.

The EOL versions of Log4j are additionally accessible to three added analytical bugs appear by Apache, bringing the absolute to seven aerial and critical-rated issues.

"At a apparent level, the numbers aloft appearance that the massive accomplishment to remediate the Log4Shell vulnerability was able in mitigating accident of corruption of the zero-day vulnerability. That should not be surprising," said Chris Eng, arch analysis administrator at Veracode.

"The bigger adventure at the two-year anniversary, however, is that there is still allowance for advance back it comes to accessible antecedent software security. If Log4Shell was addition archetype in a continued alternation of wake-up calls to accept added acrimonious accessible antecedent aegis practices, the actuality that added than one in three applications currently run accessible versions of Log4j shows there is added assignment to do.

"The above takeaway actuality is that organizations may not be acquainted of how abundant accessible antecedent aegis accident they are apparent to and how to abate it."

  • Regulator, insurers and barter all advancing for Progress afterwards MOVEit breach
  • curl vulnerabilities ironed out with patches afterwards week-long tease
  • Fresh coil tomorrow will application 'worst' aegis blemish in ages
  • Five Eyes nations detail bedraggled dozen best exploited vulnerabilities

The beyond affair at comedy isn't aloof the abortion to administer patches. According to Sonatype, the cardinal of Log4j downloads absolute accessible versions aloof in the aftermost seven canicule stands at 26 percent of a absolute 3.7 million.

It's a abnormality that hasn't afflicted abundant back Log4Shell's acknowledgment either, with 26 percent of all downloads back December 2021 accessible to the RCE exploit.

When it was aboriginal revealed, the vulnerability in Log4j catalyzed boundless abhorrence in the infosec community, accustomed its analytical attributes and the cardinal of organizations whose software relied on it – a amount Veracode believed to accept been about 88 percent at the time.

The predictions were that the bug was so dangerous, so exploitable, and so austere that it would abode the industry for abounding months into 2022, and others like the US Department of Homeland Security speculated it could linger for best than a decade. 

The administrator at the US Cybersecurity and Infrastructure Security Agency (CISA) said at the time it was the "most serious" vulnerability she had apparent in her career.

However, fast action and burning acquaintance campaigns ultimately meant the accident wasn't as acute as abounding aboriginal feared.

Log4Shell did account some high-profile issues, though, such as an attack on a US government network at the easily of Iranian state-sponsored cybercriminals, and the Belgian aegis ministry bald weeks into the furore.

Though best organizations patched to defended versions aural weeks rather than ambidextrous with exploits, generally the better affliction acquainted was the patching action itself, which could accept complex hundreds of apps, depending on the organization. ®