Three out of four organizations are still vulnerable to Log4Shell
The Log4j or Log4Shell vulnerability first hit the news in December 2021 sending ripples through the cybersecurity world. So you might be forgiven for thinking that it's safe to assume it's no longer a threat. However, one year on it seems that this is a vulnerability that keeps on being, well… vulnerable.
New research from Tenable, based on data collected from over 500 million tests, shows that 72 percent of organizations remain vulnerable to Log4Shell as of October this year.
Analysis of Tenable's telemetry found that one in 10 assets was vulnerable to Log4Shell as of December 2021, including a wide range of servers, web applications, containers and IoT devices. By October 2022 the data showed improvements, with 2.5 percent of assets vulnerable. Yet nearly one third (29 percent) of these assets had recurrences of Log4Shell after full remediation was achieved.
"Full remediation is very difficult to achieve for a vulnerability that is so pervasive and it's important to keep in mind that vulnerability remediation is not a ‘one and done’ process," says Bob Huber, chief security officer at Tenable. "While an organization may have been fully remediated at some point, as they've added new assets to their environments, they are likely to encounter Log4Shell again and again. Eradicating Log4Shell is an ongoing battle that calls for organizations to continually assess their environments for the flaw, as well as other known vulnerabilities."
Some industries have fared better than others, with engineering (45 percent), legal services (38 percent), financial services (35 percent), non-profit (33 percent) and government (30 percent) leading the pack with the most organizations fully remediated. Approximately 28 percent of CISA-defined critical infrastructure organizations have fully remediated too.
North American organizations are most likely to have fully remediated Log4j (28 percent), followed by Europe, Middle East and Africa (27 percent), Asia-Pacific (25 percent) and Latin America (21 percent). North America is also the top region for the percentage of organizations that have partially remediated (90 percent) compared to Europe, Middle East and Africa (85 percent), Asia-Pacific (85 percent), and Latin America (81 percent).
You can find out more about Tenable's research into Log4j on the company's site.