On December 9, 2021, a zero-day vulnerability in Log4j 2.x was discovered. This vulnerability is of great concern because if it’s successfully exploited, attackers are able to perform a RCE (Remote Code Execution) attack and compromise the affected server.
Since we are a cloud-based Software Composition Analysis (SCA) provider, we have useful customer data that gives insight into the scope of the Log4j vulnerability.
For starters, we found that 95 percent of our enterprise customers – organizations with over 100 applications – use Java.
That doesn’t mean that every organization using Java is using Log4j … but most do. 88 percent of enterprises are using some version of Log4j – the most popular being version 1.2.
That leads us to the million-dollar question: How many enterprises are using a vulnerable version of Log4j? Nearly 58 percent.
And if we look at the data in terms of Java applications, approximately 17 percent have a Log4j vulnerability.
What should you do if you suspect that your organization is vulnerable?
If you are a Veracode SCA customer, you are able to scan for this vulnerability across your applications by accessing this link.
If you are an existing Veracode customer but do not have SCA, please contact your Veracode representative for more information on the courtesy license.
For more detail on the Log4j vulnerability, including remediation guidance and information on additional Log4j vulnerabilities, please check out our Log4j Resources Page.