Editor's note: This article originally appeared in our sister publication SC Magazine UK.
Almost three years after the discovery of the Log4Shell vulnerability, 13% of active Log4j installations are running vulnerable versions.
According to new research by Sonatype, while 13% is an improvement, it should be near zero based on the broad public awareness of the vulnerability. Research done by Sonatype in 2022 found 40% of downloads were the known critically vulnerable versions.
Its research in both 2022 and 2023 found that 96% of vulnerable components downloaded had a fixed, non-vulnerable version available.
Log4j an open-source threat
The discovery of the Log4Shell vulnerability in late 2021 marked a critical moment in the evolution of supply chain threats, Sonatype said, as the widely used open-source logging utility was embedded in thousands of enterprise applications.
The critical vulnerability opened a massive attack surface and attackers began launching widespread exploitation campaigns within hours of its public disclosure. Log4Shell demonstrated how vulnerabilities in a seemingly obscure open-source component could ripple through the entire software ecosystem, impacting organizations across industries.
Speaking to SC UK, Ken Dunham, director of Threat Research at Qualys’ Threat Research Unit said he was not shocked by the number, as “anybody that's been in the world of threat and vulnerability management knows that people still struggle with the basics of block and tackle.”
He said Log4j “is one of those things that's just everywhere” and “it's so hard to get rid of, and they hang on and they just don't let go.”
Dunham said: “Some vulnerabilities are easy to patch and to mitigate and remove, and others are more integrated and multilayered and various dependencies.”
The Sonatype research also found that some critical vulnerabilities in 2024 took over 500 days to fix, and despite more than 99% of packages having updated versions available, 80% of application dependencies remain un-upgraded for over a year.