Security News > 2023 > December > Over 30% of Log4J apps use a vulnerable version of the library

Over 30% of Log4J apps use a vulnerable version of the library
2023-12-10 15:35

Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.

Log4Shell is an unauthenticated remote code execution flaw that allows taking complete control over systems with Log4j 2.0-beta9 and up to 2.15.0.

Another 3.8% use Log4j 2.17.0, which, although not vulnerable to Log4Shell, is susceptible to CVE-2021-44832, a remote code execution flaw that was fixed in version 2.17.1 of the framework.

Finally, 32% are using Log4j version 1.2.x, which has reached the end of support since August 2015.

In total, Veracode found that about 38% of the apps within its visibility use an insecure Log4j version.

This is close to what software supply chain management experts at Sonatype report on their Log4j dashboard, where 25% of the library's downloads in the past week concern vulnerable versions.


News URL

https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-apps-use-a-vulnerable-version-of-the-library/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-28 CVE-2021-44832 Improper Input Validation vulnerability in multiple products
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server.
network
high complexity
apache oracle cisco fedoraproject debian CWE-20
6.6
2021-12-10 CVE-2021-44228 Deserialization of Untrusted Data vulnerability in multiple products
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
10.0