Veracode has published the results of a study of the relevance of critical vulnerabilities in the Log4j Java library, identified last year and the year before. After studying 38278 applications used by 3866 organizations, Veracode researchers found that 38% of them use vulnerable versions of Log4j. The main reason for continuing to use legacy code is the integration of old libraries into projects or the laboriousness of migrating from unsupported branches to new branches that are backward compatible (judging by a previous Veracode report, 79% of third-party libraries migrated into project code are never subsequently updated).
There are three main categories of applications that use vulnerable versions of Log4j:
- 2.8% of applications continue to use Log4j versions from 2.0-beta9 to 2.15.0, which contain the Log4Shell vulnerability (CVE-2021-44228).
- 3.8% of applications use the Log4j2 2.17.0 release, which fixes the Log4Shell vulnerability, but leaves the CVE-2021-44832 remote code execution (RCE) vulnerability unfixed.
- 32% of applications use the Log4j2 1.2.x branch, support for which ended back in 2015. This branch is affected by critical vulnerabilities CVE-2022-23307, CVE-2022-23305 and CVE-2022-23302, identified in 2022 7 years after the end of maintenance.
Source: opennet.ru