Up to 38 percent of applications using the Log4j library are vulnerable to security vulnerabilities. Even though patches have been available for more than two years, this percentage is extremely high.

The Log4j logging tool, developed by the Apache Software Foundation, is a widely used tool in Java. Although a flaw (called Log4Shell) was discovered two years ago, 38 percent of applications are still considered vulnerable today.

Log4Shell vulnerability

Log4j is an open source tool developed by the Apache Software Foundation. This tool is often used by project and system administrators for logging Java applications. However, in December 2021, a bug called Log4Shell was discovered. This is an RCE error (Remote code execution), who could potentially gain full control of systems. At that time, a major campaign was launched to make affected administrators aware of this.

Although patches have been available for more than two years, 38 percent of apps in the Log4j library are vulnerable.

Research results Veracode

Veracode collected data from 3,866 companies over 90 days and used 38,278 applications based on Log4j. It turned out that around 38 percent of the apps use an insecure version of Log4j.

The study also found that 79 percent of developers choose never to update third-party libraries so as not to impact their functionality. Even though these are minor changes and fixes that are unlikely to cause problems, 65 percent of developers don’t do this. As long as developers continue to use these outdated library versions, the problem will persist.