December 10, 2023 at 10:39AM
Around 38% of Apache Log4j applications are still vulnerable to security issues, including the critical Log4Shell flaw (CVE-2021-44228) allowing unauthenticated remote code execution. Despite available patches for over two years, many organizations continue to use insecure versions. It’s recommended that companies scan their environment and develop an emergency upgrade plan for open-source libraries.
Based on the meeting notes, the key takeaways are:
– Approximately 38% of applications using the Apache Log4j library are utilizing vulnerable versions, including Log4Shell, a critical vulnerability (CVE-2021-44228) that allows unauthenticated remote code execution on systems with Log4j 2.0-beta9 up to 2.15.0.
– Despite patches being available for over two years, a significant number of organizations continue to use vulnerable versions of Log4j, posing a substantial security risk.
– A report by Veracode found that about 38% of the apps it analyzed use insecure versions of Log4j, further highlighting the widespread impact of the issue.
– The study revealed that many developers are hesitant to update third-party libraries, with 79% opting never to update these libraries after initial inclusion in their code base, even if updates typically contain minor changes and fixes.
– Furthermore, the study showed that it takes a significant amount of time for projects to address high-severity flaws, especially when facing staffing shortages and lack of information.
– Log4Shell has not acted as the anticipated wake-up call, and Log4j remains a significant source of risk in a significant number of cases, leaving organizations vulnerable to potential attacks.
– The recommendation for companies is to conduct a thorough environment scan to identify the versions of open-source libraries in use and then develop an emergency upgrade plan for all of them.
These takeaways highlight the urgency for organizations to address the use of vulnerable Log4j versions and to prioritize regular updates of third-party libraries to mitigate security risks.