Critical vulnerabilities take over 500 days to be fixed.
Almost three years after the discovery of the Log4Shell vulnerability, 13 percent of active Log4J installations are running vulnerable versions.
According to new research by Sonatype, while 13 percent is an improvement, it should be near zero based on the broad public awareness of the vulnerability. Research done by Sonatype in 2022 found 40 percent of downloads were the known critically vulnerable versions.
Its research in both 2022 and 2023 found that 96 percent of vulnerable components downloaded had a fixed, non-vulnerable version available.
Open Source Threat
The discovery of the Log4Shell vulnerability in late 2021 marked a critical moment in the evolution of supply chain threats, Sonatype said, as the widely-used open source logging utility was embedded in thousands of enterprise applications.
The critical vulnerability opened a massive attack surface and attackers began launching widespread exploitation campaigns within hours of its public disclosure. Log4Shell demonstrated how vulnerabilities in a seemingly obscure open source component could ripple through the entire software ecosystem, impacting organizations across industries.
Speaking to SC UK, Ken Dunham, director of Threat Research at Qualys’ Threat Research Unit said he was not shocked by the number, as “anybody that's been in the world of threat and vulnerability management knows that people still struggle with the basics of block and tackle.”
He said Log4J “is one of those things that's just everywhere” and “it's so hard to get rid of, and they hang on and they just don't let go.”
Dunham said: “Some vulnerabilities are easy to patch and to mitigate and remove, and others are more integrated and multilayered and various dependencies.”
The Sonatype research also found that some critical vulnerabilities in 2024 took over 500 days to fix, and despite more than 99 percent of packages having updated versions available, 80 percent of application dependencies remain un-upgraded for over a year.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.