Alarming Persistence: Log4j Vulnerabilities Linger in 4,000 Businesses Globally, Defying Well-Publicized Flaws

In a recent study by Vera code, it has been revealed that despite widespread awareness of the Log4j security flaws, almost 4,000 organizations worldwide continue to operate with vulnerable versions of the logging utility. The analysis uncovered a staggering 38,278 unique applications spanning Log4j versions 1.1 through to 3.0.0-alpha1 across 3,866 diverse organizations.

Shockingly, 2.8% of these applications were identified to be utilizing versions containing the original Log4Shell vulnerability. This flaw experienced a devastating attack with nearly one million exploit attempts within the first three days after its disclosure on December 9, 2021. Another 3.8% of applications were found to be running Log4j 2.17.0, a version that was patched to eliminate Log4Shell but still harbors vulnerabilities allowing attackers to deploy remote control exploits (RCEs). 

Veracode's study suggested that the prevalence of at-risk applications using version 2.17.0 could be attributed to teams hastily patching the initial Log4Shell vulnerability but subsequently neglecting ongoing vigilance and updates.

Moreover, approximately 32% of applications were discovered to be using Log4j2 1.2x, which reached its end-of-life (EOL) in August 2015 and is no longer receiving security updates. Adding to the complexity, Apache disclosed three critical vulnerabilities affecting Log4j 1.2x in January 2022, bringing the total number of critical vulnerabilities to seven since it reached EOL. 

The findings highlight a significant challenge: many organizations may not fully comprehend the risks posed by open source libraries. Open source libraries are now pervasive in applications, constituting 97% of third-party code in the average Java application, according to previous Veracode research. Startlingly, the recent findings expose a disconcerting trend where developers tend to neglect updating third-party libraries once integrated into a codebase, with a staggering 79% failing to do so.

The failure to regularly update Log4j versions becomes even more perplexing considering that 65% of open source library updates are minor changes unlikely to disrupt the functionality of most applications.

Despite this, Vera code's research also indicates that developers exhibit a relatively prompt response to vulnerability awareness. 

Around 50% of vulnerabilities are fixed within 89 days of detection, reducing to 65 days for high-severity vulnerabilities. However, developers face challenges in terms of information and resources. The report reveals that developers lacking adequate resources take significantly longer – 13.7 times – to address half of the vulnerabilities.

Similarly, those without the necessary context for a vulnerability require over seven months to tackle half of their vulnerability backlog.

 In conclusion, the study underscores the pressing need for heightened awareness, consistent updates, and enhanced resources to combat the persistent Log4j vulnerabilities that continue to threaten businesses globally.