1 in 10 servers and web apps vulnerable to Log4Shell
According to telemetry data from cybersecurity company Tenable, as of the 21st of December 2021, only 70% of organisations have even scanned for the Log4Shell vulnerability.
While of the assets that have been assessed, Log4Shell has been found in approximately 10% - including a wide range of servers, web applications, containers and IoT devices.
While many in the security community are working hard to contain the critical vulnerability in Apache, there is concern that not everyone is taking it seriously. Broad exploitation has already begun, and in a month's time, Tenable CEO and chairman, Amit Yoran, expects to see several waves of iteration on this exploit, resulting in more aggressive damage that may be impossible to stop by then.
"Tenable assembles vast amounts of data around every single vulnerability, including the recent high profile Log4Shell," says Yoran.
"What we've determined so far is startling, but not surprising, 10% of all assessed assets are vulnerable to Log4Shell. Meanwhile, a disturbing 30% of organisations haven't even begun looking for this bug, a startlingly negligent delay given the aggressiveness of threat actors hunting for it."
He says 1 in 10 corporate servers is exposed. One in ten of nearly every aspect of digital infrastructure has the potential for malicious exploitation via Log4Shell.
"Then there's the sheer number of impacted organisations. Our telemetry shows that as of December 21st, 2021, only 70% of organisations have even scanned for the vulnerability. Log4Shell has been identified as one of the biggest cybersecurity risks we've ever encountered, yet many organisations still aren't taking action."
Yoran says 30% of organisations haven't begun assessing their environments for Log4Shell, let alone started patching.
Security professionals are stretched thin, and it's made harder due to the holiday timing, but Yoran believes this risk is unique. "Broad exploitation has already begun, and in a month, we expect to see several waves of iteration on this exploit, resulting in more aggressive damage that may be impossible to stop by then," he says.
While EternalBlue, for example, suffered significant attacks, such as WannaCry, the potential here is much more significant because of the pervasiveness of Log4j across both infrastructure and applications.
"No single vulnerability in history has so blatantly called out for remediation," says Yoran.
"Log4Shell will define computing as we know it, separating those that put in the effort to protect themselves and those comfortable being negligent."