According to a study gleaned from over 500 million tests, 72 percent of organizations remain at risk from the Log4j vulnerability. The data highlights the problems in fixing security vulnerabilities.
When Log4Shell was discovered in December 2021, companies around the world tried to determine their risk. In the weeks after the vulnerability became known, companies reallocated their resources and invested tens of thousands of hours identifying and remediating the problem. One state's federal cabinet reported that its security team spent 33.000 hours just fixing the Log4j vulnerability.
Tenable's telemetry found that as of December 2021, one in ten assets were vulnerable to Log4Shell, including a variety of servers, web applications, containers, and IoT devices. October 2022 data showed improvements: 2,5 percent of assets were vulnerable. Still, almost a third (29 percent) of these assets experienced Log4Shell attacks again after full remediation.
Key Findings:
- 28 percent of companies worldwide have fully fixed Log4Shell as of October 1, 2022, a 14-point improvement from May 2022.
- 53 percent of organizations were vulnerable to Log4j during the study period, underscoring the ubiquity of Log4j and the need for ongoing remediation efforts, even when full remediation was previously achieved.
- In October 2022, 29 percent of compromised assets had Log4Shell reinstated after full remediation was achieved.
- Some industries are more consistent than others in this regard, with engineering (45 percent), legal services (38 percent), financial services (35 percent), nonprofits (33 percent), and government (30 percent) leading the way in fully rehabilitated businesses. Around 28 percent of the companies defined by CISA as critical infrastructure have fully implemented the measures.
- Almost a third of North American companies have fully cleaned Log4j (28 percent), followed by Europe, the Middle East and Africa (27 percent), Asia Pacific (25 percent), and Latin America (21 percent).
- North America also tops the percentage of companies that have partially fixed Log4j (90 percent), followed by Europe, Middle East and Africa (85 percent), Asia Pacific (85 percent), and Latin America (81 percent). ).
About Tenable Tenable is a Cyber Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.