Nearly half of all Log4j downloads remain critically vulnerable

The findings come as the US threatens legal action against those who fail to patch to the latest versions of the popular Java library

New research has revealed that nearly half of all Log4j downloads since the discovery of the Log4Shell vulnerability remain critically vulnerable, one month after the initial disclosure. 

As of Sunday, 43% of all Log4j downloads were "coming from critically vulnerable versions", according to security researchers at Sonatype, and a little more than 44% of the downloads in the UK are thought to be exposed to the vulnerability during the same timeframe.

Since 10 December 2021 when Log4Shell was first disclosed, Log4j has been downloaded more than 10 million times. Nearly half of all of these were of unsafe versions, despite fully patched and secure versions being available at the time, Sonatype said.

'Vulnerable downloads' refers to any download of Log4j that was made from 10 December onwards and was vulnerable to Log4Shell at the time. The downloads monitored by the researchers were from The Central Repository which Sonatype describes as "the de-facto download location for dependencies for most Java programming languages" and had a total volume of more than 457 trillion downloads in 2021.

Asked why there were so many vulnerable downloads made despite safe versions being available, Ilkka Turunen, field CTO at Sonatype, said it mainly comes down to teams maintaining legacy infrastructure.

"There are several reasons as to why they might not choose to use the latest and greatest - from legacy infrastructure that has not been maintained and is pinned to old versions to lack of awareness of the need to upgrade," he told IT Pro. "In most cases, organisations have gone through a fire drill to remediate the most critical instances of issue but now face a long tail of more complex maintenance to be able to mitigate all the instances.

Related Resource

The Okta digital trust index

Exploring the human edge of trust

Woman types on a laptop, image is faded purple with title text beside it on white backgroundFree download

"As with any open source, code is provided as is, and it is the responsibility of the user to know and be aware of the risks associated with it," he added. "There are legitimate use cases and sometimes legal requirements that require users to be able to build older software. Pulling known bad versions could end up being a worse antidote than the problem it aims to fix."

The figures are high at the moment, but since the post-holiday return to work, Sonatype said it has observed companies taking steps to rectify the issue. Since 5 January, the company said it saw a 40% adoption rate to the latest versions (2.17 and 2.17.1) that are fully protected against Log4Shell.

"The fact that we are still facing such high percentages of vulnerable downloads is indicative of a much bigger problem with supply chain security," said Turunen. "If companies don’t understand what’s in their software, they’re unable to act with the requisite speed when threats arise - and in this instance, given the huge popularity of Log4j, this exposes them to significant risk.

"Fortunately, there are safe versions of the component available, so for those companies which have acted quickly, their risk has been significantly reduced. However, this needs to serve as an urgent wake-up call that businesses must understand what’s in their software, where dependencies lie, and not leverage vulnerable components when safe ones are available."

US firms, in particular, are advised to patch to the latest versions of Log4j since last week the Federal Trade Commission (FTC) said it would pursue legal action against companies failing to patch against Log4Shell due to the high risk of data breaches occurring as a result of exploiting vulnerable systems.

The strong stance on the matter from the FTC is indicative of the US government's recent clampdown on cyber security vulnerabilities. The US' Cyber Security and Infrastructure Security Agency (CISA) set deadlines for all federal agencies to patch hundreds of security vulnerabilities in November 2021.

The severity of the Log4Shell vulnerability, and the current cyber security landscape in general, is echoed in research published by Check Point Research on Monday which revealed cyber attacks reached new highs during Q4 2021, driven largely by the number of attempts to exploit Log4Shell.

During Q4 2021, Check Point Research noted there was an all-time peak in weekly cyber attacks with an average of more than 900 per organisation. Researchers also observed a 50% increase in attacks year on year for the entirety of 2021 compared to 2020's figures.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022