Tenable®, the Exposure Management company, announced the findings of a telemetry study conducted in the months following the initial disclosure of the critical Log4j vulnerability known as Log4Shell. As of October 1, 2022, 72% of organizations are still vulnerable to the Log4Shell vulnerability, according to data collected from over 500 million tests. The data focuses on legacy vulnerability remediation issues, which are the root cause of the vast majority of data breaches.
When Log4Shell was discovered in December 2021, businesses all over the world scrambled to assess their risk. Organizations significantly reallocated resources and invested tens of thousands of hours in identification and remediation efforts in the weeks following its disclosure. One federal cabinet department reported that its security team spent 33,000 hours responding to Log4j vulnerabilities alone.
Tenable telemetry discovered that as of December 2021, one out of every ten assets was vulnerable to Log4Shell, including a wide range of servers, web applications, containers, and IoT devices. Data from October 2022 revealed that 2.5% of assets were vulnerable. Despite this, nearly one-third (29%) of these assets had Log4Shell recurrences after full remediation.
“Full remediation is very difficult to achieve for a vulnerability that is so pervasive and it’s important to keep in mind that vulnerability remediation is not a ‘one and done’ process,” said Robert Huber, chief security officer, Tenable. “While an organization may have been fully remediated at some point, as they’ve added new assets to their environments, they are likely to encounter Log4Shell again and again. Eradicating Log4Shell is an ongoing battle that calls for organizations to continually assess their environments for the flaw, as well as other known vulnerabilities.”
Other key findings from the data include:
More information about Tenable’s Log4Shell coverage can be found at https://www.tenable.com/log4j.