Original Post: State of Log4j Vulnerabilities: How Much Did Log4Shell Change?
The article marks the two-year anniversary of the discovery of the Log4Shell vulnerability in Apache Log4j, a critical zero-day vulnerability with an extremely high severity rating. This vulnerability had the potential for widespread exploitation, prompting significant efforts for remediation. Despite these efforts, a recent analysis by Veracode, which reviewed software scans from nearly 4,000 organizations, found that 38% of applications still use vulnerable versions of Log4j. The analysis highlighted how ongoing security technical debt continues to expose organizations to risks.
Key findings include that 2.8% of applications are still using the versions affected by Log4Shell, 3.8% are using a version susceptible to another critical vulnerability (CVE-2021-44832), and 32% are running an end-of-life version of Log4j that has not received updates since 2015. The article emphasizes the need for continuous updates and better open-source security practices, noting that once notified, developers can fix vulnerabilities within a couple of months, pointing to a gap between vulnerability discovery and actual remediation.
The call to action stresses the importance of knowing the components in software development and acquired software to mitigate risks effectively. Recommendations include the use of Software Composition Analysis (SCA) and Infrastructure as Code scanning, maintaining an up-to-date Software Bill of Materials (SBOM), and implementing policies to address and manage vulnerabilities in open-source software.
Go here to read the Original Post