An alarming 38% of applications that use the Apache Log4j library use the versions susceptible to security vulnerabilities. One of them is a critical vulnerability, Log4Shell (CVE-2021-44228), for which patches have been available for over two years.
Log4Shell is an unauthenticated remote code execution (RCE) flaw that allows threat actors to gain complete control over systems running Log4j versions 2.0-beta9 and up to 2.15.0. This vulnerability was identified as a zero-day exploit in December 2021 and has since been actively exploited, highlighting the urgency of immediate patching due to the widespread impact.
Veracode’s Log4j Apps Report
In a detailed analysis, Veracode examined 38,278 applications from 3,886 businesses between August 15 and November 15. Remarkably, the results showed that around 38% of these applications continued to use unpatched Log4j versions, leaving a substantial portion of the digital landscape to potential threats. Out of which, 2.8% use Log4J versions that are susceptible to Log4Shell.
One typical problem developers encounter is the persistence of out-of-date library versions. A startling 79% of developers decide against updating third-party libraries after they are first incorporated into the code base out of concern that functionality may be affected. Remarkably, 65% of updates for open-source libraries include small adjustments and fixes that are unlikely to interfere with functionality, highlighting a lost chance to improve security.
Log4Shell Limited Impact on Practices
The security industry might had hoped that the Log4Shell discovery would serve as a wake-up call, but it does not seem to have done so. The fact that Log4j, which is well-known for its vulnerabilities, is still a risk in 1 out of 5 cases shows that the urgency of Log4Shell has not resulted in the expected paradigm shift in security practices.
These findings make it very clear for organizations what they must do: a thorough assessment of their environment to identify open-source library versions. The next step is to create an emergency upgrade plan, ensuring that updates and patches are applied quickly in order to eliminate vulnerabilities and strengthen defenses against any attacks.
Conclusion
As the Log4j vulnerabilities continues to linger within the digital ecosystem, organizations must acknowledge the persistent threat it poses and take proactive measures to secure their applications. By staying vigilant, implementing timely updates, and embracing a proactive security stance, businesses can navigate the complex cybersecurity landscape with confidence, mitigating the risks associated with Log4Shell and other similar vulnerabilities.
The sources for this article include a story from BleepingComputer.
The post Above 30% Apps at Risk with Vulnerable Log4j Versions appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/above-30-apps-at-risk-with-vulnerable-log4j-versions/