Critical vulnerabilities take over 500 days to be fixed.
Almost three years after the discovery of the Log4Shell vulnerability, 13 percent of active Log4J installations are running vulnerable versions.
According to new research by Sonatype, while 13 percent is an improvement, it should be near zero based on the broad public awareness of the vulnerability. Research done by Sonatype in 2022 found 40 percent of downloads were the known critically vulnerable versions.
Its research in both 2022 and 2023 found that 96 percent of vulnerable components downloaded had a fixed, non-vulnerable version available.
Open Source Threat
The discovery of the Log4Shell vulnerability in late 2021 marked a critical moment in the evolution of supply chain threats, Sonatype said, as the widely-used open source logging utility was embedded in thousands of enterprise applications.
The critical vulnerability opened a massive attack surface and attackers began launching widespread exploitation campaigns within hours of its public disclosure. Log4Shell demonstrated how vulnerabilities in a seemingly obscure open source component could ripple through the entire software ecosystem, impacting organizations across industries.
Speaking to SC UK, Ken Dunham, director of Threat Research at Qualys’ Threat Research Unit said he was not shocked by the number, as “anybody that's been in the world of threat and vulnerability management knows that people still struggle with the basics of block and tackle.”
He said Log4J “is one of those things that's just everywhere” and “it's so hard to get rid of, and they hang on and they just don't let go.”
Dunham said: “Some vulnerabilities are easy to patch and to mitigate and remove, and others are more integrated and multilayered and various dependencies.”
The Sonatype research also found that some critical vulnerabilities in 2024 took over 500 days to fix, and despite more than 99 percent of packages having updated versions available, 80 percent of application dependencies remain un-upgraded for over a year.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
