It’s been almost 3 years since the critical Log4j vulnerability was disclosed and there are still approximately 38% of applications using vulnerable versions of the Apache Log4j library.
Despite patches being available shortly after vulnerability disclosure, many organizations persistently use vulnerable versions. Log4Shell, an unauthenticated remote code execution flaw, allows complete control over systems. A study, analysing data from 3,866 organizations and 38,278 applications, found that 38% are using an insecure version of Log4j. Furthermore, over 25% of Log4J downloads in the last 7 days were for vulnerable versions. The study found that 78% of developers are reluctant to update third-party libraries after the apps have been released for fear of breaking functionality. Organisations need to have a software bill of materials (SBOM) to understand their exposure and vulnerability management plan to address critical vulnerabilities within their applications
https://www.sonatype.com/resources/log4j-vulnerability-resource-center
https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-apps-use-a-vulnerable-version-of-the-library/
This segment was created for the It’s 5:05 podcast
https://505updates.com/2023-12-18-cybersecurity-and-open-source-headlines/