Security News > 2023 > December > Two years on, 1 in 4 apps still vulnerable to Log4Shell

Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation.

Research from security shop Veracode revealed that the vast majority of vulnerable apps may never have updated the Log4j library after it was implemented by developers as 32 percent were running pre-2015 EOL versions.

Prior investigations from Veracode also showed that 79 percent of all developers never update third-party libraries after first introducing them into projects, and given that Log4j2 - the specific version of Log4j affected by the vulnerability - dates back to 2014, this could explain the large proportion of unpatched apps.

Only 2.8 percent are still using versions 2.0-beta9 through 2.15.0 - post-EOL versions that remain exposed to Log4Shell, the industry-coined moniker of the vulnerability's exploit.

Some 3.8 percent are still running version 2.17, a post-patch version of the Java logger that's not exposed to Log4Shell attacks, but is vulnerable to a separate remote code execution bug.

"The bigger story at the two-year anniversary is that there is still room for improvement when it comes to open source software security. If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open source security practices, the fact that more than one in three applications currently run vulnerable versions of Log4j shows there is more work to do."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/11/log4j_vulnerabilities/