A new report from cybersecurity firm Tenable finds that a worrying majority of organizations remain vulnerable to Log4Shell, though the vulnerability has been public knowledge for nearly a year and was patched nearly as long ago.
Log4Shell still common in the wild; remediated organizations see it return with new devices
The report does not indicate that the alarms in the media and the waves of patching have been in vain, as substantial progress has been made in chipping away at the vulnerability. The main problem is that even a fully clean organization is just one new device or software download away from it coming back.
The survey does indicate some continuing struggles to reach full remediation of Log4Shell, however. No industry is over 50% of its companies having it fully under control at this point (engineering is furthest along at 45%), and some are still struggling to hit 30%. Manpower and hiring remain the key issues in this area.
The upside to this general state of unpreparedness is that Log4Shell is also not being exploited at alarming rates. One reasonable hypothesis is that organizations are addressing it in places you would think to look, leaving the vulnerabilities in areas that hackers wouldn’t think to attack either. It can be a very difficult vulnerability to scan for with full access to internal systems, let alone for a malign outsider.
Log4Shell also continues to be nestled in legacy systems that are difficult for IT teams to address, usually due to being way past their shelf life in terms of support for security or operating system updates. A variety of free scanning tools have been made available by both government agencies (CISA) and private companies (Microsoft), but they will not necessarily unearth all of the instances of the vulnerability in these systems.
Legislation could soon push organizations to track everything down, however, as the FTC has warned it is considering major fines for companies that are breached due to Log4Shell and found to have failed to take “reasonable” action. A spike in exploitation of the vulnerability could very well be accompanied by a corresponding spike in legislative interest in it.
Can Log4Shell ever be fully remediated?
As mentioned, there are some markers of progress in spite of the relatively concerning news. In the year since Log4Shell became public knowledge, the estimate of business assets that are vulnerable to it has dropped from 10% to 2.5%. However, that does not mean that those assets are immune to reinfection.
Slow progress of this nature is thus likely in the coming years, with two steps forward and one step back. In the second half of 2022 the number of organizations reporting full remediation jumped from 14% to 28%, but that “full” status remains in peril as long as unpatched Log4Shell code remains in circulation. The vulnerability will likely not be “defeated” until all of the old instances are either patched or fall out of circulation, something that security experts think could take a decade or more.