Veracode Study Reveals Alarming Percentage of Applications Using Vulnerable Versions of LOG4J
Veracode, a prominent software security company, has recently published the results of their study on vulnerabilities in the Java library, LOG4J. The study focused on the vulnerabilities identified in the past and the year before. Researchers from Veracode examined 38,278 applications used in 3,866 organizations and found that an alarming 38% of them were utilizing vulnerable versions of LOG4J.
The research also shed light on the reasons behind the continued use of outdated code. One major factor is the integration of old libraries into projects, making it difficult to migrate to newer branches that may lack reverse compatibility. According to Veracode’s previous report, a staggering 79% of projects involving third-party libraries are never updated once implemented.
Categories of Applications Using Vulnerable Versions of LOG4J
- 2.8% of applications continue to use versions of LOG4J ranging from 2.0-Beta9 to 2.15.0. These versions contain the LOG4Shell vulnerability (CVE-2021-44228).
- 3.8% of applications are utilizing the LOG4J2 2.17.0 release, which has resolved the LOG4Shell vulnerability but still remains vulnerable to CVE-2021-44832. This vulnerability allows for remote code execution (RCE).
- 32% of applications are using the unsupported LOG4J2 1.2.x branch, which ceased support in 2015. This branch is susceptible to critical vulnerabilities such as cve-2022-23307,