A third of all Log4j instances remains unpatched more than four months after the discovery of a highly critical vulnerability.

Qualys research shows that about 30 percent of all applications, servers and systems running Log4j are still prone to Log4Shell, the infamous vulnerability. Remote hackers can compromise unpatched systems.

Qualys used the Qualys Cloud Platform to scan the presence of Log4j in organizations’ systems.

Average patch time

The scan also shows that it took an average of 17 days for Log4j patches to be implemented. Internet-facing systems, servers and applications were patched more quickly — 12 days on average. In total, Qualys experts found more than 28,000 web applications using Log4j.

‘End-of-life’ support

Furthermore, the study shows that more than eighty percent of the vulnerable Log4j applications are open source. In addition, more than half are in the ‘end-of-support’ phase, which is unlikely to be patched.

Tip: Log4Shell — what is Log4j, who does it affect and how do you patch it?