Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community
2 years on, Log4j still haunts the security community
David Jones / Cybersecurity Dive
November 3, 2023
1 Min Read
Dive Brief:
Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode.
The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in August 2015 and no longer receives patch updates. Another 2.8% of applications are still using versions vulnerable to the actual Log4Shell vulnerability.
Veracode found 3.8% of applications are using Log4j2 2.17.0, which was patched against Log4Shell, but contains CVE-2021-44832, another high severity, remote code execution vulnerability.
Dive Insight:
The report shows a yearslong effort to reform security practices related to software development and the use of open source will require additional work.
“There is a level of responsibility developers must take for their own applications, and there is definitely room for improvement when it comes to open source software security,” Chris Eng, chief research officer at Veracode, said via email.
To read the complete article, visit Cybersecurity Dive.
