Dive Brief:

• Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode. 
• The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in August 2015 and no longer receives patch updates. Another 2.8% of applications are still using versions vulnerable to the actual Log4Shell vulnerability.
• Veracode found 3.8% of applications are using Log4j2 2.17.0, which was patched against Log4Shell, but contains CVE-2021-44832, another high severity, remote code execution vulnerability.

Dive Insight:

The report shows a yearslong effort to reform security practices related to software development and the use of open source will require additional work. 

“There is a level of responsibility developers must take for their own applications, and there is definitely room for improvement when it comes to open source software security,” Chris Eng, chief research officer at Veracode, said via email. 

Many developers reacted initially to the vulnerability crisis by properly using security upgrades to install version 2.17.0, but then reverted back to form by no longer patching beyond the release of 2.17.1, according to Eng.

“Log4j has long been upgraded to a non-vulnerable version in projects under the umbrella of the Apache Software Foundation, and this is largely true for the wider active open source ecosystem as well,” a spokesperson for the ASF Security Response team said. “We have actively notified downstream projects of the urgency to upgrade through all proper channels, such as by issuing a high-severity CVE without delay.”

Researchers analyzed data from software scans of more than 38,000 applications over a 90-day period, between Aug. 15 and Nov. 15. The applications were running Log4j versions 1.1 through 3.0.0 alpha 1 across 3,866 different organizations. 

But the findings are not entirely surprising. A 2022 report from the federal Cyber Safety Review Board warned the Log4j crisis would take years to fully resolve.