Over 30% of Log4J apps use a vulnerable version of the library

Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.
Log4Shell is an unauthenticated remote code execution flaw that allows taking complete control over systems with Log4j 2.0-beta9 and up to 2.15.0.
The circumstance prompted an extensive campaign to notify affected project maintainers and system administrators, but despite numerous warnings, a significant number of organizations continued to use vulnerable versions long after patches became available.
Two years after the vulnerability was disclosed and fixes were released, there are plenty of targets still vulnerable to Log4Shell.
A report from application security company Veracode, based on data collected between August 15 and November 15, highlights that old problems can persist for an extensive periods.
Veracode gathered data for 90 days from 3,866 organizations that use 38,278 applications relying on Log4j with versions between 1.1 and 3.0.0-alpha1.
Of those apps, 2.8% use Log4J variants 2.0-beta9 through 2.15.0, which are directly vulnerable to Log4Shell.
Another 3.8% use Log4j 2.17.0, which, although not vulnerable to Log4Shell, is susceptible to CVE-2021-44832, a remote code execution flaw that was fixed in version 2.17.1 of the framework.
Finally, 32% are using Log4j version 1.2.x, which has reached the end of support since August 2015.
Those versions are vulnerable to multiple severe vulnerabilities published until 2022, including CVE-2022-23307, CVE-2022-23305, and CVE-2022-23302.
In total, Veracode found that about 38% of the apps within its visibility use an insecure Log4j version.
This is close to what software supply chain management experts at Sonatype report on their Log4j dashboard, where 25% of the library's downloads in the past week concern vulnerable versions.
The continual use of outdated library versions indicates an ongoing problem, which Veracode attributes to developers wanting to avoid unnecessary complications.
According to Veracode's findings, 79% of developers opt never to update third-party libraries after their initial inclusion in their code base to avoid breaking functionality.
The study showed that it takes 50% of projects over 65 days to address high-severity flaws.
Veracode's data shows that Log4Shell has not been the wake-up call many in the security industry hoped it would be.
Instead, Log4j alone continues to be a source of risk in 1 out of 3 cases and may very easily be one of the multiple ways attackers can leverage to compromise a given target.
The recommendation for companies is to scan their environment, find the versions of open-source libraries in use, and then develop an emergency upgrade plan for all of them.
Atlassian patches critical RCE flaws across multiple products.
December Android updates fix critical zero-click RCE flaw.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 10 Dec 2023 15:45:16 +0000


Cyber News related to Over 30% of Log4J apps use a vulnerable version of the library

Over 30% of Log4J apps use a vulnerable version of the library - Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being ...
11 months ago Bleepingcomputer.com
Above 30% Apps at Risk with Vulnerable Log4j Versions - An alarming 38% of applications that use the Apache Log4j library use the versions susceptible to security vulnerabilities. One of them is a critical vulnerability, Log4Shell, for which patches have been available for over two years. Log4Shell is an ...
10 months ago Securityboulevard.com
One in four apps remain exposed to Log4Shell The Register - Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation. Research from security shop Veracode ...
11 months ago Go.theregister.com
Lazarus Hackers Exploit 2-Year-Old Log4j Vulnerability to Deploy New RAT Malware - Researchers warn Lazarus threat actors still exploit known Log4j vulnerability to infect devices with new DLang malware strains. The new campaign, dubbed Operation Blacksmith, became active on March 23. Hackers target manufacturing, agricultural, and ...
11 months ago Heimdalsecurity.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
1 year ago Hackread.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
11 months ago Cysecurity.news
Halting Hackers on the Holidays 2023 Part II: The Apps You Trust - Most free flashlight apps are creepware - also known as malware that spies on you and your online behavior and could pass along information to others. The problem doesn't begin and end with flashlight apps, though. Many seemingly innocuous apps that ...
11 months ago Cyberdefensemagazine.com
Two-Fifths of Log4j Apps Use Vulnerable Versions - Organizations are still exposed to critical vulnerabilities in Log4j, two years after a maximum severity bug was found in the popular utility, according to Veracode. The application security vendor analyzed data from software scans over 90 days ...
11 months ago Infosecurity-magazine.com
CVE-2021-4104 - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing ...
1 year ago
CVE-2022-23302 - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can ...
1 year ago
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
6 months ago Security.googleblog.com
CVE-2017-2171 - Cross-site scripting vulnerability in Captcha prior to version 4.3.0, Car Rental prior to version 1.0.5, Contact Form Multi prior to version 1.2.1, Contact Form prior to version 4.0.6, Contact Form to DB prior to version 1.5.7, Custom Admin Page ...
7 years ago
The mystery of the targeted ad and the library patron The Register - Feature In April, attorney Christine Dudley was listening to a book on her iPhone while playing a game on her Android tablet when she started to see in-game ads that reflected the audiobooks she recently checked out of the San Francisco Public ...
6 months ago Go.theregister.com
This year's resolution: remove nosey apps from your device - Some apps are plain greedy-like a stranger you invite for a meal who insists on ordering everything on the menu. Here's what upset me: After I downloaded the companion app that helps control it for my phone, the app wanted permission to make and ...
10 months ago Blog.avast.com
10 Key Things You Need to Know About the Sophisticated Vastflux Ad Fraud Scheme - At the end of April 2015, researchers from Distil Networks reported the discovery of a sophisticated ad fraud network, Vastflux, which had been around since at least January 2014. The network used sophisticated malware targeting both iOS and Android ...
1 year ago Securityweek.com
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
5 months ago Bleepingcomputer.com
10 Ways a Digital Shield Protects Apps and APIs - While far from perfect, this approach provided multilayer security defenses to protect apps and APIs. As network architectures gradually became more complex, so did protecting apps and APIs. The on-premises enterprise environment gave way to a hybrid ...
6 months ago Darkreading.com
Ushering in the Next Phase of Mobile App Adoption: Bolstering Growth with Unyielding Security - In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life's pleasures such as shopping, sports, and gaming. With the popularity ...
11 months ago Cyberdefensemagazine.com
Alert: iPhone Push Notifications Exploited Users Data - The security researcher found users privacy concerns in iPhone push notifications, the apps accessing the accelerometer. It also details some privacy concerns regarding app access to this sensor. Some apps have been found to collect accelerometer ...
9 months ago Hackersonlineclub.com
Rhysida ransomware gang claims British Library cyberattack - The Rhysida ransomware gang has claimed responsibility for a cyberattack on the British Library in October, which has caused a major ongoing IT outage. Rhysida is auctioning off the data it reportedly stole from the United Kingdom's national library ...
11 months ago Bleepingcomputer.com
CVE-2022-23305 - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to ...
11 months ago
Ontario public library shuts down most services due to cyberattack - A popular library in Ontario, Canada was forced to shut down most of its services this week due to a cyberattack - the latest library to face issues after hackers infiltrated its systems. The London Public Library, which services the Canadian city's ...
11 months ago Therecord.media
Android App Security Alert: Proactive Measures to Prevent Unauthorized Control - The latest security alert comes from Microsoft's team who discovered a new vulnerability that may give hackers complete control of your smartphone. The latest security alert is triggered by the discovery of a new security flaw which can allow hackers ...
6 months ago Cysecurity.news
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions - A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of ...
1 year ago Thehackernews.com
Ten new Android banking trojans targeted 985 bank apps in 2023 - This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. Banking trojans are malware that targets people's online bank ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)