A recent report by Veracode highlights the ongoing vulnerability of enterprise applications to the Log4Shell vulnerability associated with Log4j libraries. This vulnerability poses a significant risk to organizations worldwide.
Description
The analysis conducted by Veracode covered a vast number of applications, totaling over 38,000 [3], across 3,866 organizations [1] [2] [3]. Shockingly, the findings reveal that nearly 40% of these applications are utilizing outdated and unpatched versions of the Apache Log4j library. Specifically, 33% of these applications are running Log4j2 1.2x, which is no longer receiving patch updates [2] [3]. Additionally, 2.8% of the applications were found to be using versions vulnerable to the Log4Shell vulnerability, while 3.8% were running Log4j2 2.170 [1] [2], which contains another high severity vulnerability [3].
These findings underscore the urgent need for developers to take responsibility for their applications and prioritize open source software security. Organizations must fully comprehend the open source security risks they face and take necessary steps to mitigate them [1]. It is crucial for developers to remain vigilant and ensure they update third-party libraries when incorporating them into their code. Neglecting to do so can lead to time-consuming patch processes and leave applications vulnerable to security issues.
Conclusion
The Veracode report serves as a wake-up call for organizations and developers alike. The prevalence of outdated and unpatched versions of the Apache Log4j library highlights the need for immediate action. By prioritizing open source software security and staying up to date with patch updates, organizations can mitigate the risks posed by vulnerabilities like Log4Shell. Developers must take responsibility for their applications and ensure they incorporate necessary security measures. Failure to do so can have severe consequences, both in terms of time-consuming patch processes and potential security breaches. Moving forward, it is imperative that organizations and developers remain proactive in addressing open source security risks to safeguard their applications and data.
References
[1] https://www.infosecurity-magazine.com/news/twofifths-log4j-apps-vulnerable/
[2] https://www.itpro.com/security/log4j-nearly-4000-organizations-still-vulnerable-two-years-on
[3] https://www.cybersecuritydive.com/news/log4j-haunts-security-community/702011/