Researchers on Friday reported that roughly two months after its discovery late last year, some 30% of Log4j instances remain vulnerable.
In a blog post, Qualys researchers said they scanned more than 150 million IT assets across all geographies and flagged 22 million vulnerable app installations. Of them, more than 80% were open source applications.
Overall, Log4j was detected in more than 3 million vulnerable instances. The researchers also found that nearly 68,000 vulnerabilities were found in cloud workloads and containers across the United States and EMEA, reinforcing the recommendation that companies need to monitor running containers for flaws like Log4j. More than 50% of application installations with Log4j were flagged as “end-of-support," which means that these publishers will likely not provide Log4Shell security patches for these apps.
Log4j represents just another vulnerability that would give criminal actors access to multiple environments, said Charles "Chuck" Everette, director of cybersecurity advocacy at Deep Instinct. Everette said the industry saw a huge uptick in supply chain attacks, and these types of vulnerabilities are disturbing on multiple levels. While cyber criminals have weaponized the Log4j exploits, Everette said it has not been as heavily exploited as it could have been, but it definitely has given threat actors ideas of additional angles of attack to explore in the future.
“These new vulnerability attack vectors are inevitably going to fall into the hands of common cyber criminals, but good security hygiene and following industry best practices can mitigate these before any harm can be done,” Everette said. “But ultimately it’s up to organizations to make sure they are diligent and not giving the cyber criminals the openings they want.”
John Bambenek, principal threat hunter at Netenrich, said it comes as little surprise that remediation was rapid at first and then plateaued. Bambenek said serious vulnerabilities are never completely removed from the internet.
“Over a decade on, Conficker still has hundreds of thousands of infections worldwide,” Bamenek said. “Until we find a viable way to remediate vulnerabilities globally and universally, I’m fairly certain that I will never be able to retire.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added that what made the Log4J vulnerability such a major issue was how widely used it is across multiple applications and in multiple environments, so it makes sense that Qualys discovered unpatched instances well after the vulnerability was discovered.
“With Log4J used in so many places, it may take some time to even discover all the applications that leverage it,” Parkin said. “This is especially true for home grown apps, and ones that were installed for a limited purpose and then forgotten after serving their purpose. While the majority of vulnerable instances will get patched or have mitigations put in place, chances are good they’ll still be turning up for quite some time to come.”
Avishai Avivi, CISO at SafeBreach, said supply chain vulnerabilities are a challenge that will likely continue as an issue for all enterprises. Avivi added that some of these vulnerabilities will not be simple, or even possible to remediate quickly.
“Enterprises, large and small, should invest in a robust security stack that can help mitigate this type of vulnerability,” Avivi said. “This is especially important when patching some of these is not up to the enterprise, but rather up to their supply chain. This blog highlights the need for an enterprise to validate their security stack holistically rather than discrete vulnerabilities that may, or may not be exploitable when multiple layers of security can provide the protection needed.”