Vulnerable Log4j instances persist two years after patches

TechRadar reports that vulnerable versions of the Apache Log4j software have been observed across 38% of apps between Aug. 15 and Nov. 15, indicating the enduring security risk of the software. Most of the susceptible apps leveraged Log4j2 1.2.x, which had support end in August 2015 and was vulnerable to the critical flaws, tracked as CVE-2023-23302, CVE-2023-23305, and CVE-2023-23307, while the remaining instances were either impacted by the Log4Shell flaws or the CVE-2021-44832 bug, a Veracode report revealed. The low percentage of Log4j instances impacted by Log4Shell indicates a "massive effort" by organizations to remediate the flaw but more should still be done, according to researchers. "If Log4Shell was another example in a long series of wake-up calls to adopt more stringent open-source security practices, the fact that more than 1 in 3 applications currently run vulnerable versions of Log4j shows there is more work to do," said Veracode.