Log4j could still be a major security worry for businesses everywhere

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Even though it was discovered and patched two years ago, the Log4j vulnerability still poses a major threat to businesses everywhere, new research has claimed.

A report by Veracode has argued businesses simply aren’t diligent enough when it comes to patching their endpoints, having analyzed data from software scans over 90 days between August 15 and November 15, 2023, for 38,278 unique applications running Log4j versions 1.1 through 3.00-alpha 1, across 3,866 organizations.

The data showed that almost two in five (38%) of applications are currently running vulnerable versions of Log4j: 2.8% run Log4j with the Log4Shell vulnerabilities (Log4j2 2.0-beta9 through 2.15.0), 3.8% are running Log4j2 2.17.0, which is patched against the Log4Shell vulnerability but contains CVE-2021-44832, and 32% are using Log4j2 1.2.x, a version that reached end-of-life in August 2015 and therefore is no longer supported with patches. Almost two years ago, in January 2022, Apache said this version contained three critical vulnerabilities: CVE-2022-23307, CVE-2022-23305, and CVE-2022-23302.

"Massive effort"

While the data suggests a “massive effort” to fix the Log4Shell vulnerability and mitigate the risks of malware abusing the zero-day, there is still plenty of room for improvement, even two years after the discovery, Veracode concluded. 

“If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open-source security practices, the fact that more than 1 in 3 applications currently run vulnerable versions of Log4j shows there is more work to do.” 

Veracode’s researchers concluded that many organizations probably aren’t even aware of the amount of risk they’re exposed to when integrating open-source software. 

A separate report by the same firm found that almost 80% of the time developers never update third-party libraries after including them in a code base, which could explain why there are so many instances of outdated Log4j code still in use. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.