Security News > 2022 > April > Millions of Java Apps Remain Vulnerable to Log4Shell

Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Researchers did a search on the Shodan search engine to see how many apps vulnerable to Log4Shell are exposed to the internet.

Researchers divided the apps into three categories; the first two are containers that in their latest version, still contain obsolete versions of Log4j; and containers that while their latest version is up-to-date yet still show evidence of using previous versions.

Researchers cited other sources for further proof that the Log4Shell attack surface remains vast.

Moreover many applications are still using Log4J version 1.x and likely aren't patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn't apply to this version, researchers noted.

Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted.

News URL

https://threatpost.com/java-apps-vulnerable-log4shell/179397/