Study Shows 38% of Java Apps Still Affected By Log4Shell

An anonymous reader quotes a report from The Register: Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation. Research from security shop Veracode revealed that the vast majority of vulnerable apps may never have updated the Log4j library after it was implemented by developers as 32 percent were running pre-2015 EOL versions. Prior investigations from Veracode also showed that 79 percent of all developers never update third-party libraries after first introducing them into projects, and given that Log4j2 -- the specific version of Log4j affected by the vulnerability -- dates back to 2014, this could explain the large proportion of unpatched apps.

A far smaller minority are running versions that were vulnerable at the time of the Log4j vulnerability's disclosure in December 2021. Only 2.8 percent are still using versions 2.0-beta9 through 2.15.0 -- post-EOL versions that remain exposed to Log4Shell, the industry-coined moniker of the vulnerability's exploit. Some 3.8 percent are still running version 2.17, a post-patch version of the Java logger that's not exposed to Log4Shell attacks, but is vulnerable to a separate remote code execution (RCE) bug (CVE-2021-44832).

The researchers believe this illustrates a minority of developers that acted quickly when the vulnerability was first disclosed, as was the advice at the time, had returned to older habits of leaving libraries untouched. Altogether, just shy of 35 percent remain vulnerable to Log4Shell, and nearly 40 percent are vulnerable to RCE flaws. The EOL versions of Log4j are also vulnerable to three additional critical bugs announced by Apache, bringing the total to seven high and critical-rated issues. 'At a surface level, the numbers above show that the massive effort to remediate the Log4Shell vulnerability was effective in mitigating risk of exploitation of the zero-day vulnerability. That should not be surprising,' said Chris Eng, chief research officer at Veracode.

'The bigger story at the two-year anniversary, however, is that there is still room for improvement when it comes to open source software security. If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open source security practices, the fact that more than one in three applications currently run vulnerable versions of Log4j shows there is more work to do.

'The major takeaway here is that organizations may not be aware of how much open source security risk they are exposed to and how to mitigate it.'

Read more of this story at Slashdot.