Nearly half of all Log4j downloads remain critically vulnerable

New research has revealed that nearly half of all Log4j downloads since the discovery of the Log4Shell vulnerability remain critically vulnerable, one month after the initial disclosure.

As of Sunday, 43% of all Log4j downloads were "coming from critically vulnerable versions", according to security researchers at Sonatype, and a little more than 44% of the downloads in the UK are thought to be exposed to the vulnerability during the same timeframe.

Since 10 December 2021 when Log4Shell was first disclosed, Log4j has been downloaded more than 10 million times. Nearly half of all of these were of unsafe versions, despite fully patched and secure versions being available at the time, Sonatype said.

'Vulnerable downloads' refers to any download of Log4j that was made from 10 December onwards and was vulnerable to Log4Shell at the time. The downloads monitored by the researchers were from The Central Repository which Sonatype describes as "the de-facto download location for dependencies for most Java programming languages" and had a total volume of more than 457 trillion downloads in 2021.

Asked why there were so many vulnerable downloads made despite safe versions being available, Ilkka Turunen, field CTO at Sonatype, said it mainly comes down to teams maintaining legacy infrastructure.

"There are several reasons as to why they might not choose to use the latest and greatest - from legacy infrastructure that has not been maintained and is pinned to old versions to lack of awareness of the need to upgrade," he told IT Pro. "In most cases, organisations have gone through a fire drill to remediate the most critical instances of issue but now face a long tail of more complex maintenance to be able to mitigate all the instances.

"As with any open source, code is provided as is, and it is the responsibility of the user to know and be aware of the risks associated with it," he added. "There are legitimate use cases and sometimes legal requirements that require users to be able to build older software. Pulling known bad versions could end up being a worse antidote than the problem it aims to fix."

The figures are high at the moment, but since the post-holiday return to work, Sonatype said it has observed companies taking steps to rectify the issue. Since 5 January, the company said it saw a 40% adoption rate to the latest versions (2.17 and 2.17.1) that are fully protected against Log4Shell.

"The fact that we are still facing such high percentages of vulnerable downloads is indicative of a much bigger problem with supply chain security," said Turunen. "If companies don’t understand what’s in their software, they’re unable to act with the requisite speed when threats arise - and in this instance, given the huge popularity of Log4j, this exposes them to significant risk.

"Fortunately, there are safe versions of the component available, so for those companies which have acted quickly, their risk has been significantly reduced. However, this needs to serve as an urgent wake-up call that businesses must understand what’s in their software, where dependencies lie, and not leverage vulnerable components when safe ones are available."

US firms, in particular, are advised to patch to the latest versions of Log4j since last week the Federal Trade Commission (FTC) said it would pursue legal action against companies failing to patch against Log4Shell due to the high risk of data breaches occurring as a result of exploiting vulnerable systems.

The strong stance on the matter from the FTC is indicative of the US government's recent clampdown on cyber security vulnerabilities. The US' Cyber Security and Infrastructure Security Agency (CISA) set deadlines for all federal agencies to patch hundreds of security vulnerabilities in November 2021.

The severity of the Log4Shell vulnerability, and the current cyber security landscape in general, is echoed in research published by Check Point Research on Monday which revealed cyber attacks reached new highs during Q4 2021, driven largely by the number of attempts to exploit Log4Shell.

During Q4 2021, Check Point Research noted there was an all-time peak in weekly cyber attacks with an average of more than 900 per organisation. Researchers also observed a 50% increase in attacks year on year for the entirety of 2021 compared to 2020's figures.