A third of all Log4j instances remains unpatched more than four months after the discovery of a highly critical vulnerability.
Qualys research shows that about 30 percent of all applications, servers and systems running Log4j are still prone to Log4Shell, the infamous vulnerability. Remote hackers can compromise unpatched systems.
Qualys used the Qualys Cloud Platform to scan the presence of Log4j in organizations’ systems.
Average patch time
The scan also shows that it took an average of 17 days for Log4j patches to be implemented. Internet-facing systems, servers and applications were patched more quickly — 12 days on average. In total, Qualys experts found more than 28,000 web applications using Log4j.
Furthermore, the study shows that more than eighty percent of the vulnerable Log4j applications are open source. In addition, more than half are in the ‘end-of-support’ phase, which is unlikely to be patched.