- Jul 27, 2015
Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.
Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log4j is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover. Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said. “We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.
many applications are still using Log4J version 1.x and likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted. However, this is a misconception as that version has been “in an end-of-life state since August 2015 (which means it does not get any security updates), and contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted. “This should definitely worry organizations that are still using it,” he wrote.
Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted. Indeed, attackers immediately set upon the bug once it was discovered—already under active exploitation—and haven’t let up much since. While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks—and apparently still hasn’t been applied in many cases.
Millions of Java Apps Remain Vulnerable to Log4Shell
Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.