How enterprises responded to Log4Shell

When the Log4Shell vulnerability appeared in December last year the effects rippled across the cybersecurity world with potentially millions of devices affected.

A new study from Qualys takes a look at how enterprises responded to the vulnerability and how successful their remediation efforts were.

The bad guys were fast to respond, with nearly a million attack attempts launched in just 72 hours following the Log4Shell vulnerability’s disclosure. And of course the attacks came in the run up to the holiday season when many security teams would have been running on skeleton staffing.

The Qualys Cloud Platform scanned more than 150 million IT assets, across the world, flagging 22 million vulnerable app installations. Log4Shell was detected in more than three million vulnerable instances.

More than 50 percent of application installations with Log4j were flagged as ‘end-of-support’ with little likelihood of publishers providing Log4Shell security patches. Over 80 percent of vulnerable assets were found to be on Linux systems.

Average time to remediation after detection was 17 days. Systems which could be exploited remotely were patched faster (12 days) while internal systems were slower. Efforts slowed after the first month too, possibly because security teams found it easier to mitigate Log4Shell rather than permanently fixing it.

“Every man and his dog was talking about this vulnerability at the start of December and we’re still talking about it now into the middle of March. That shows that there is still a lot we need to get right around cybersecurity basics,” Paul Baird, chief technical security officer UK at Qualys, says. “Looking at the data, Log4J is incredibly widespread and it was discussed far and wide. This vulnerability is easy to exploit when patches and mitigations have not been implemented. Log4Shell by its nature is hard to detect, unless you’ve got tools that are capable of finding the vulnerability in all the corners of your environment. Teams are unable to mitigate and therefore at risk.”

You can read more about the research on the Qualys blog and the company has also developed a new open-source Log4j scanning utility to save security teams valuable time.

Image credit: billiondigital/depositphotos.com

Author: Martha Meyer