/dec 15, 2021

58% of Orgs Are Using a Vulnerable Version of Log4j

By Hope Goslin

On December 9, 2021, a zero-day vulnerability in Log4j 2.x was discovered. This vulnerability is of great concern because if it’s successfully exploited, attackers are able to perform a RCE (Remote Code Execution) attack and compromise the affected server.  

Since we are a cloud-based Software Composition Analysis (SCA) provider, we have useful customer data that gives insight into the scope of the Log4j vulnerability.  

For starters, we found that 95 percent of our enterprise customers – organizations with over 100 applications – use Java.   

Orgs using Java

That doesn’t mean that every organization using Java is using Log4j … but most do. 88 percent of enterprises are using some version of Log4j – the most popular being version 1.2. 

Orgs using Log4j

That leads us to the million-dollar question: How many enterprises are using a vulnerable version of Log4j? Nearly 58 percent. 

Orgs using vulnerable Log4j

And if we look at the data in terms of Java applications, approximately 17 percent have a Log4j vulnerability.  

What should you do if you suspect that your organization is vulnerable?  

If you are a Veracode SCA customer, you are able to scan for this vulnerability across your applications by accessing this link

If you are an existing Veracode customer but do not have SCA, please contact your Veracode representative for more information on the courtesy license.

For more detail on the Log4j vulnerability, including remediation guidance and information on additional Log4j vulnerabilities, please check out our Log4j Resources Page

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.