ClickCease Above 30% Apps at Risk with Vulnerable Log4j Versions

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Above 30% Apps at Risk with Vulnerable Log4j Versions

by Rohan Timalsina

December 27, 2023 - TuxCare expert team

An alarming 38% of applications that use the Apache Log4j library use the versions susceptible to security vulnerabilities. One of them is a critical vulnerability, Log4Shell (CVE-2021-44228), for which patches have been available for over two years.

Log4Shell is an unauthenticated remote code execution (RCE) flaw that allows threat actors to gain complete control over systems running Log4j versions 2.0-beta9 and up to 2.15.0. This vulnerability was identified as a zero-day exploit in December 2021 and has since been actively exploited, highlighting the urgency of immediate patching due to the widespread impact.

 

Veracode’s Log4j Apps Report

 

In a detailed analysis, Veracode examined 38,278 applications from 3,886 businesses between August 15 and November 15. Remarkably, the results showed that around 38% of these applications continued to use unpatched Log4j versions, leaving a substantial portion of the digital landscape to potential threats. Out of which, 2.8% use Log4J versions that are susceptible to Log4Shell.

One typical problem developers encounter is the persistence of out-of-date library versions. A startling 79% of developers decide against updating third-party libraries after they are first incorporated into the code base out of concern that functionality may be affected. Remarkably, 65% of updates for open-source libraries include small adjustments and fixes that are unlikely to interfere with functionality, highlighting a lost chance to improve security.

 

Log4Shell Limited Impact on Practices

 

The security industry might had hoped that the Log4Shell discovery would serve as a wake-up call, but it does not seem to have done so. The fact that Log4j, which is well-known for its vulnerabilities, is still a risk in 1 out of 5 cases shows that the urgency of Log4Shell has not resulted in the expected paradigm shift in security practices.

These findings make it very clear for organizations what they must do: a thorough assessment of their environment to identify open-source library versions. The next step is to create an emergency upgrade plan, ensuring that updates and patches are applied quickly in order to eliminate vulnerabilities and strengthen defenses against any attacks.

 

Conclusion

 

As the Log4j vulnerabilities continues to linger within the digital ecosystem, organizations must acknowledge the persistent threat it poses and take proactive measures to secure their applications. By staying vigilant, implementing timely updates, and embracing a proactive security stance, businesses can navigate the complex cybersecurity landscape with confidence, mitigating the risks associated with Log4Shell and other similar vulnerabilities.

 

The sources for this article include a story from BleepingComputer.

Summary
Above 30% Apps at Risk with Vulnerable Log4j Versions
Article Name
Above 30% Apps at Risk with Vulnerable Log4j Versions
Description
Many Log4j applications were found to be using the unpatched versions, including those that are susceptible to a Log4Shell vulnerability.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!