More than two months after the discovery of the Log4j vulnerabilities known as Log4Shell, cybersecurity firm Qualys says 30% of Log4j instances remain vulnerable to hackers who can exploit affected systems and take control.
The company indexed more than 10 trillion data points across its installed enterprise customer base and performed six billion IP scans per year across 75 million cloud agents deployed in hybrid IT environments worldwide, giving the company a “unique vantage point” that Log4Shell can recognize.
The research team then analyzed anonymized security data across its global enterprise customers’ networks and found that nearly a third of Log4j instances remain vulnerable to exploitation.
According to Qualys, more than 80% of the 22 million vulnerable instances were open source applications.
However, the vulnerabilities were also found in cloud workloads and containers in the US and EMEA, suggesting that organizations need to continue scanning containers for bugs like Log4Shell.
Cybersecurity agencies discovered nearly 1,500 vulnerable technology products, of which 1,065 are currently in use by 52 publishers. A surprising number of application installations using Log4j have been marked as “end of support”, meaning these vendors are unlikely to patch their products’ Log4j instances.
According to Qualys’ report, the Log4Shell vulnerability was discovered in more than 2,800 web applications, which in late 2021 became the first line of defense for organizations fending off early attacks. According to Qualys, over 80% of vulnerable assets resided on Linux systems.
The average time to remediate Log4Shell after detection is 17 days, and systems that can be remotely exploited are patched in an average of 12 days, while internal systems are slower.
After the first month, remediation efforts began to dwindle as security teams began finding it easier to mitigate Log4Shell rather than fix it permanently, Qualys noted.
Other recent research suggests that IT pros need to continue mitigating the vulnerability. Google’s Threat Horizons Executive Snapshot last month revealed that Google Cloud continues to see 400,000 scans per day for Log4j, with other cloud providers likely experiencing the same thing.