Researchers from Qualys has reported that roughly three months after its discovery late last year, some 30% of Log4j instances remain vulnerable. It has scanned more than 150 million IT assets across all geographies and flagged 22 million vulnerable app installations. More than 80% were open-source applications.
Overall, Log4j was detected in more than 3 million vulnerable instances and nearly 68,000 vulnerabilities were found in cloud workloads and containers across the USA and EMEA, reinforcing the recommendation that companies need to monitor running containers for flaws like Log4j. 50% of the application vendor won’t provide an update since the reached “End of Support”.
Log4j represents just another vulnerability that would give criminal actors access to multiple environments as a weapon . But has not been as heavily exploited as it could have been, but it has given threat actors ideas of additional angles of attack to explore in the future. A good security hygiene and following industry best practices can mitigate these before any harm can be done
With Log4J used in so many places, it may take some time to even discover all the applications that leverage it. This is true in case of home-grown apps, and ones that were installed for a limited purpose and then forgotten after serving their purpose. While most vulnerable instances will get patched or have mitigations put in place, chances are good they’ll still be turning up for quite some time to come.
Enterprises, large and small, should invest in a robust security technology that can help mitigate this type of vulnerability its important when patching some of these is not up to the enterprise, but rather up to their supply chain.