Security lock with a hole on computer circuit board showing Log4Shell vulnerability

Despite a Year of Warnings and Patching, Nearly 3 Out of 4 Organizations Still Vulnerable to Log4Shell

A number of security experts have predicted that the Log4Shell vulnerability will haunt organizations for at least a decade, and maybe longer. Those fears look to be well founded as a new report from Tenable finds that 72% of organizations are still vulnerable, in spite of nearly a year of it being one of the biggest items in cybersecurity news.

Log4Shell plagues organizations by hiding in legacy assets & returning with new devices

The battle against Log4Shell is proceeding very slowly due to a confluence of factors. It remains buried in a number of assets, particularly legacy systems that are tougher to address. But it also continues to affect the organization as new devices that have not yet been secured are added. And beleaguered IT staff are simply having trouble finding the numbers and available hours to keep up with it.

The report does find some areas of very substantial progress. When Log4Shell was revealed to the public in December 2021, about 10% of all business assets were thought to be vulnerable to it. That number has dropped to 2.5% as of October 2022, thanks to massive patching efforts. However, 29% of assets have experienced a re-emergence of a Log4Shell vulnerability after being fully remediated.

This was the basis of estimations by security experts that Log4Shell would continue to be an issue throughout the rest of the 2020s; though an organization may well achieve full remediation, over time vulnerable elements will gradually make their way back in the door via new software and new devices. 28% of organizations now report full remediation, a 14 point improvement from six months ago, but these organizations may well fall back into being vulnerable again over time if monitoring and patching efforts are not continually sustained. In essence, 100% of organizations remain at least potentially vulnerable, as the problem continues to circulate and could find its way back in for years to come.

Log4Shell vulnerability varies by location, industry, equipment in use

There is something of a tendency for the more vulnerable and more regulated industries to have higher rates of Log4Shell remediation. The most remediated industry at present is engineering (45%), followed by legal services (38%). Other relatively high performers include financial services and government agencies; private critical infrastructure companies (as defined by CISA) sit at about 28%.

There is also some variance by global regions, though not as much. North America, Europe, Middle East and African countries collectively lead the world at about 27-28%, with Latin America at the other end with 21%. Partial remediation also tracks with these numbers, with North America at 90% and Latin America at 81%.

Surprisingly, reports of Log4Shell being exploited in the wild are relatively low compared to how prevalent it still is; this may indicate attackers are having just as hard a time locating buried weak points as internal IT teams are, as there is often no simple way to scan for every instance in a system. The advanced persistent threat groups of China, Iran and North Korea have all been spotted making attempts, but have experienced relatively little success as of yet (though all have managed to penetrate some amount of systems with it).

The presence of legacy systems that are no longer supported with security or operating system updates may also exacerbate the issue. These will generally require special attention and more man-hours from IT, and in some cases may not be able to be remediated. Organizations must also coordinate with vendors that might have some sort of cloud-based access to their systems, such as third party IT management services or those that have shared access to records.

The pernicious Log4Shell vulnerability is present in Log4J, some of the most widely used logging software in the world. Publisher Apache has long since updated Log4J to remove the issue, but with no central way to push these updates to all the instances in the wild they must all be tracked down individually (and can be buried very deep in applications and software packages).

There has yet to be significant legislation requiring private companies to address the Log4Shell issue, but this could be on the way if the issue continues to hang around (or exploitation of it ramps up). Early in 2022 the FTC warned US companies to take reasonable steps to remediate the vulnerability or face potential future action. The FTC compared the situation to the breach of credit reporting agency Equifax several years ago, an incident that also centered on a known vulnerability that the business failed to address for some time. That ended up costing the company $700 million in a settlement.

A number of major companies and public agencies (such as Microsoft, CISA and Crowdstrike) have released open source tools to help scan for Log4J instances, and private cyber defenses services have rushed to add scanning tools as well.