Security News > 2023 > December > Over 30% of Log4J apps use a vulnerable version of the library

Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.

Log4Shell is an unauthenticated remote code execution flaw that allows taking complete control over systems with Log4j 2.0-beta9 and up to 2.15.0.

Another 3.8% use Log4j 2.17.0, which, although not vulnerable to Log4Shell, is susceptible to CVE-2021-44832, a remote code execution flaw that was fixed in version 2.17.1 of the framework.

Finally, 32% are using Log4j version 1.2.x, which has reached the end of support since August 2015.

In total, Veracode found that about 38% of the apps within its visibility use an insecure Log4j version.

This is close to what software supply chain management experts at Sonatype report on their Log4j dashboard, where 25% of the library's downloads in the past week concern vulnerable versions.

News URL

https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-apps-use-a-vulnerable-version-of-the-library/