SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Advanced Persistent Threat Protection
#
Cybersecurity
#
Servers
1 in 10 servers and web apps vulnerable to Log4Shell
Mon, 27th Dec 2021
FYI, this story is more than a year old
Author image
By Ryan Morris-Reade, Contributor
Follow us

According to telemetry data from cybersecurity company Tenable, as of the 21st of December 2021, only 70% of organisations have even scanned for the Log4Shell vulnerability.

While of the assets that have been assessed, Log4Shell has been found in approximately 10% - including a wide range of servers, web applications, containers and IoT devices.

While many in the security community are working hard to contain the critical vulnerability in Apache, there is concern that not everyone is taking it seriously. Broad exploitation has already begun, and in a month's time, Tenable CEO and chairman, Amit Yoran, expects to see several waves of iteration on this exploit, resulting in more aggressive damage that may be impossible to stop by then.

"Tenable assembles vast amounts of data around every single vulnerability, including the recent high profile Log4Shell," says Yoran.

"What we've determined so far is startling, but not surprising, 10% of all assessed assets are vulnerable to Log4Shell. Meanwhile, a disturbing 30% of organisations haven't even begun looking for this bug, a startlingly negligent delay given the aggressiveness of threat actors hunting for it."

He says 1 in 10 corporate servers is exposed. One in ten of nearly every aspect of digital infrastructure has the potential for malicious exploitation via Log4Shell.

"Then there's the sheer number of impacted organisations. Our telemetry shows that as of December 21st, 2021, only 70% of organisations have even scanned for the vulnerability. Log4Shell has been identified as one of the biggest cybersecurity risks we've ever encountered, yet many organisations still aren't taking action."

Yoran says 30% of organisations haven't begun assessing their environments for Log4Shell, let alone started patching.

Security professionals are stretched thin, and it's made harder due to the holiday timing, but Yoran believes this risk is unique. "Broad exploitation has already begun, and in a month, we expect to see several waves of iteration on this exploit, resulting in more aggressive damage that may be impossible to stop by then," he says.

While EternalBlue, for example, suffered significant attacks, such as WannaCry, the potential here is much more significant because of the pervasiveness of Log4j across both infrastructure and applications.

"No single vulnerability in history has so blatantly called out for remediation," says Yoran.

"Log4Shell will define computing as we know it, separating those that put in the effort to protect themselves and those comfortable being negligent."

Related stories
Half of online traffic in 2024 generated by bots, report finds
Keeper Security launches user-friendly passphrase generator
Axis unveils hybrid cloud platform for adaptable security solutions
Understanding the key to boosting cybersecurity habits: Kaspersky study
Spirent partners with online payments platform to boost cyber defenses
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services