Askhat - stock.adobe.com
Seventy-two percent of organizations remain vulnerable to Log4Shell, the widespread vulnerability discovered one year ago that attracted nation-state threat actors and ransomware groups, according to new research by Tenable.
The critical remote code execution flaw, tracked as CVE-2021-44228, was found in December 2021 in the open source Log4j 2 software package developed by the Apache Foundation and used in a multitude of Java-based applications. Due to the ease of exploitation, some of which occurred even prior to public disclosure, Log4Shell was swiftly added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog and became an urgent priority for many security teams.
But new research by Tenable Wednesday showed that the problem persists as of Oct. 1, with 72% of organizations still vulnerable to Log4Shell. That number includes some companies that had initially mitigated the flaw. Tenable collected data from more than 500 million tests while conducting the research.
"As of October 2022, 29% of vulnerable assets saw the reintroduction of Log4Shell even after full remediation was achieved," Tenable wrote in the blog post.
Tenable categorizes assets as "an entity that can be analyzed," including desktops, laptops, servers, network devices, phones, tablets, virtual machines and cloud instances.
Bob Huber, chief security officer at Tenable, attributed the addition of new vulnerable assets to an enterprise environment as one cause for the recurrence, according to the blog. While he told TechTarget Editorial that the addition of new systems and assets is the most frequent action that inadvertently reintroduces Log4Shell, addressing issues in both the build pipeline and runtime environment is equally important.
"As it stands, many organizations address the issue on the right side -- in their runtime environment -- only to be replaced with another insecure build," Huber said in an email to TechTarget Editorial. "Identifying every instance of insecure code in use is nontrivial for most organizations, including third parties."
For the 72% of organizations that remain vulnerable, Huber said many are aware they carry risk, however their exposure management programs are not 100% effective across the board. He cited several factors that contribute to a strong foundation, including establishing ownerships of devices and assets and building consensus on what an effective exposure management program looks like, complete with agreed-upon roles, responsibilities, and expectations.
To that end, Huber emphasized the importance of continually assessing enterprise environments for the flaw, as well as other critical vulnerabilities.
However, new hybrid work models that combine on-premises and cloud infrastructures have made it increasingly difficult for enterprises to keep track of everything present in its environment. Combined with a growing list of severe vulnerabilities and understaffed security teams, companies have trouble when it comes to prioritizing patches.
"The data highlights legacy vulnerability remediation challenges, which are the root cause of the majority of data breaches," the blog post read.
Progress against Log4Shell
Log4Shell remains a significant concern, as evidenced by its inclusion in two recent government advisories. Earlier this month, CISA warned that an unnamed organization in the Federal Civilian Executive Branch was compromised by an Iranian threat group that gained access to its systems through a VMware Horizon server where Log4Shell was not patched. In October, the vulnerability was included in the U.S. government's list of the most commonly exploited vulnerabilities by Chinese state-sponsored actors.
Despite the ongoing threat, Tenable researchers did discover some improvements.
In December when it was initially uncovered, Tenable found that one in 10 assets were vulnerable to Log4Shell. As of October, that number had decreased to 2.5%. Additionally, Tenable researchers observed a 14-point improvement from May to October as "28% of organizations across the globe have fully remediated Log4Shell."
Breaking it down by sector, Tenable determined that nearly half of engineering organizations have fully remediated, along with approximately 28% of CISA-defined critical infrastructures. That includes 16 sectors overall such as food and agriculture, energy, and healthcare and public health.