Log4Shell attack surface remains large

Rezilion researchers discovered that the attack surface for the critical Log4Shell zero-day flaw in the Apache Log4j library continues to be significant four months since its discovery, according to BleepingComputer. Sixty percent of open-source packages leveraging Log4j continue to be vulnerable to Log4Shell, tracked as CVE-2021-44228, while more than 90,000 internet-facing apps with old Log4j versions are possibly vulnerable, the report revealed. Researchers also noted severely delayed patching for the WSO2 API Manager, as well as the Apache Storm and Apache skywalking-oap containers. Meanwhile, 68,000 Minecraft servers also continue to be potentially flawed to Log4Shell. Poor visibility and inadequate vulnerability management processes may be among the key reasons behind the dismal patching of Log4Shell, according to researchers, who noted that the vulnerability has been challenging to identify in production environments and third-party software. The persistence of the Log4Shell flaw should prompt organizations to scan their environments and immediately perform upgrades if necessary.