"Despite a Year of Warnings and Patching, Nearly 3 Out of 4 Organizations Still Vulnerable to Log4Shell"
According to several security experts, the Log4Shell vulnerability will impact organizations for at least a decade. Those concerns appear to be justified, as a new report from Tenable finds that 72 percent of organizations are still vulnerable, even though it has been one of the most notable items in cybersecurity news for nearly a year. The vulnerability remains buried in many assets, especially legacy systems that are more difficult to address. It also continues to impact the organization as new unsecured devices are added. Information Technology (IT) staff are struggling to build bigger teams of professionals to keep up. The report does identify some areas where significant progress has been made. When Log4Shell was made public in December 2021, it was estimated that 10 percent of all business assets were vulnerable to it. Due to massive patching efforts, that figure has dropped to 2.5 percent as of October 2022. However, after being fully remedied, 29 percent of assets experienced the re-emergence of a Log4Shell vulnerability. This was the basis for security experts' predictions that Log4Shell would continue to be a problem throughout the rest of the 2020s. While an organization could achieve full remediation, vulnerable elements will gradually make their way back in through new software and devices over time. Although 28 percent of organizations now report full remediation, a 14-point increase from six months ago, these organizations may become vulnerable again if monitoring and patching efforts do not continue. All organizations are still potentially vulnerable, as the problem is still circulating and could resurface in the coming years. Engineering is currently the most remedied industry (45 percent), followed by legal services (38 percent). Reports of Log4Shell being exploited in the wild are relatively low in comparison to how prevalent it remains, indicating that attackers are having just as much difficulty locating buried weak points as internal IT teams. The Advanced Persistent Threat (APT) groups of China, Iran, and North Korea have all been observed making attempts, but with limited success thus far. This article continues to discuss the Log4Shell vulnerability and its expected long-term impact on organizations.