More than two months after the Log4j vulnerabilities known as Log4Shell were discovered, 30% of Log4j instances remain vulnerable for hackers to exploit and take control of affected systems, according to cybersecurity firm Qualys.
The company indexed more than 10 trillion data points across its installed enterprise customer base and completed six billion IP scans per year with 75 million cloud agents deployed in hybrid IT environments globally, giving the company a “unique vantage point” that can detect Log4Shell.
The research team then analyzed anonymized security data cross the networks of its global enterprise customers, and discovered that nearly a third of Log4j instances remain vulnerable to exploitation.
According to Qualys, of the 22 million vulnerable instances, more than 80% were open source applications.
However, the vulnerabilities were also found in cloud workloads and containers across the U.S. and EMEA, suggesting that enterprises need to continue scanning containers for flaws like Log4Shell.
Cybersecurity agencies discovered nearly 1,500 vulnerable technology products, of which 1,065 across 52 publishers are currently in use. A surprisingly large number of application installations with Log4j were flagged as “end-of-support,” meaning those vendors will likely not be patching their products’ Log4j instances.
According to Qualys’ report, the Log4Shell vulnerability was detected in more than 2,800 web applications, which became the first line of defense for enterprises fending of early attacks in late 2021. Over 80% of the vulnerable assets were on Linux systems, according to Qualys.
The average time to remediate Log4Shell after detection is 17 days, and systems that can be exploited remotely are patched in an average of 12 days, while internal systems are slower.
After the first month, remediation efforts began trending down once security teams began finding it easier to mitigate Log4Shell rather than permanently fixing it, Qualys found.
Other recent research suggests IT professionals need to continue to mitigate the vulnerability. Google’s Threat Horizons Executive Snapshot last month found that Google Cloud continues to see 400,000 scans for Log4j each day, with other cloud providers thought to be experiencing the same.