Two-Fifths of Log4j Apps Use Vulnerable Versions

Written by

Organizations are still exposed to critical vulnerabilities in Log4j, two years after a maximum severity bug was found in the popular utility, according to Veracode.

The application security vendor analyzed data from software scans over 90 days between August 15 and November 15 2023. These covered 38,278 unique applications running Log4j versions 1.1 to 3.0.0-alpha1 across 3866 organizations.

The vendor found that 38% are still using vulnerable versions of Log4j. The majority (32%) of these are running Log4j2 1.2.x, which contains three critical flaws: CVE-2022-23307, CVE-2022-23305 and CVE-2022-23302.

A further 3.8% are running Log4j2 2.17.0, which contains CVE-2021-44832. Just 2.8% are still on versions exposed to the Log4Shell vulnerabilities: Log4j2 2.0-beta9 to 2.15.0.

Read more on Log4j: Experts: Log4j Bug Could Be Exploited for “Years”

The original Log4Shell vulnerability (CVE-2021-44228) was first discovered in November 2021 and immediately hit the headlines because the Apache logging system it’s found in is used in a huge range of applications – from Apple iCloud to Elasticsearch – as well as a multitude of open source components.

The remote code execution vulnerability itself was also relatively easy for threat actors to exploit, as long as they could force a vulnerable application to log a particular string of characters.

By March, some of the worst fears of security community were realised after new research revealed that Log4Shell had been used as an initial infection vector in 31% of compromises.

Veracode argued that although the massive effort to patch the original Log4j bug has been successful, its findings show there’s still some way to go.

“If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open source security practices, the fact that more than one in three applications currently run vulnerable versions of Log4j shows there is more work to do,” it added.

“The major takeaway here is that organizations may not be aware of how much open source security risk they are exposed to and how to mitigate it.”

What’s hot on Infosecurity Magazine?