Millions of Java Apps Remain Vulnerable to Log4Shell

Log4Shell security

Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Struts framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover.

Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said.

“We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.

Read more: