In response to the danger, many updates and fixes were quickly issued to help secure systems. But, a year later, writes Palmer, Log4j remains a threat because many organizations have yet to apply those updates.
Just last month, “CISA and the FBI put out a security alert, warning that if organizations hadn't yet patched or mitigated Log4j vulnerabilities, they should assume their network is compromised and act accordingly,” Palmer says.
In fact, a recent study from Tenable found that 72 percent of organizations remain vulnerable to the Log4j (or Log4Shell) vulnerability as of October 1, 2022, reports Shannon Williams.
"Full remediation is very difficult to achieve for a vulnerability that is so pervasive, and it’s important to keep in mind that vulnerability remediation is not a one and done process,” explains Bob Huber, Tenable’s Chief Security Officer. “While an organization may have been fully remediated at some point, as they have added new assets to their environments, they are likely to encounter Log4Shell again and again.”
Additionally, Palmer notes, “cyber criminals don't forget about old security flaws and vulnerabilities — and as long as Log4j instances remain unmitigated, they'll be targeting them.”