Nearly three years after its discovery, Sonatype reported that 13% of active Apache Log4j instances remain vulnerable to the Log4Shell, according to SC Media.
Upon its emergence in late 2021, immediate widespread exploitation of Log4Shell highlighted the significant impact of an open-source vulnerability in the software ecosystem, given the implementation of Log4j across a plethora of enterprise apps, said Sonatype in its report.
The report also showed that more than 500 days were needed to address certain critical flaws. This persistence of the Log4Shell vulnerability has not been a surprise to Ken Durham, director of Qualys Threat Research Unit, who noted persistent challenges in mitigating security flaws, with Log4Shell being particularly "hard to get rid of; they hang on and they just don't let go."
"Some vulnerabilities are easy to patch and to mitigate and remove, and others are more integrated and multilayered and various dependencies," said Durham.
