One in 10 Assets Assessed Are Vulnerable to Log4Shell
If not addressed now, it will define computing in 2022.
Tenable assembles vast amounts of data around every single vulnerability, including the recent high profile Log4Shell. What we’ve determined so far is startling, but not surprising, 10% of all assessed assets are vulnerable to Log4Shell. Meanwhile a disturbing 30% of organizations haven’t even begun looking for this bug, a startlingly negligent delay given the aggressiveness of threat actors hunting for it.
Of the assets that have been assessed, Log4Shell has been found in approximately 10% of them, including a wide range of servers, web applications, containers and IoT devices. Log4Shell is pervasive across all industries and geographies. One in 10 corporate servers being exposed. One in 10 web applications and so on. One in 10 of nearly every aspect of our digital infrastructure has the potential for malicious exploitation via Log4Shell.
Then there’s the sheer number of impacted organizations. Our telemetry shows that as of December 21st, 2021, only 70% of organizations have even scanned for the vulnerability! Log4Shell has been identified as one of the biggest cybersecurity risks we’ve ever encountered, yet many organizations still aren’t taking action: 30% of organizations haven’t begun assessing their environments for Log4Shell, let alone started patching.
Security professionals are stretched thin, and it's all the harder given the holiday timing, but this risk is unique. Broad exploitation has already begun and in one month’s time we expect to see several waves of iteration on this exploit, resulting in more aggressive damage that may be impossible to stop by then.
While EternalBlue, for example, wrought significant attacks, such as WannaCry, the potential here is much greater because of the pervasiveness of Log4j across both infrastructure and applications. No single vulnerability in history has so blatantly called out for remediation. Log4Shell will define computing as we know it, separating those that put in the effort to protect themselves and those comfortable being negligent.
Learn more:
Amit Yoran
Former Chairman and Chief Executive Officer - b. 1970 – d. 2025
Amit Yoran, former chairman and chief executive officer (CEO), passed away on Jan. 3, 2025. Amit led Tenable in its vision to empower organizations to understand and reduce their cybersecurity risk. He brought a unique blend of leadership in the private and public sectors to Tenable. He previously served as RSA’s president, spearheading its transformation into one of the most successful global security companies. Amit joined RSA through its acquisition of NetWitness, the network forensics company he founded and led as CEO. Prior to NetWitness, Amit served as founding director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security. He was also founder and CEO of Riptech, one of the first managed security service providers (MSSP), which Symantec acquired in 2002. Amit served on the board of directors for BlackLine, Inc. (Nasdaq: BL) and the Center for Internet Security (CIS). He was recognized as a security industry thought leader and influencer, and was often sought out for industry events and in the media to provide expert commentary on his vision for cybersecurity’s future.
Related articles
EPSS Shows Strong Performance in Predicting Exploits, Says Study from Cyentia and FIRST
Tenable sponsored research from Cyentia and FIRST, which finds that while vulnerability exploitation is highly variable, EPSS is getting stronger in its ability to predict exploitation. ...
How To Do a Security Audit of Pimcore Enterprise Platform
Our new research paper gives you a roadmap for using Pimcore's features while preserving security....
How Risk-based Vulnerability Management Boosts Your Modern IT Environment's Security Posture
Vulnerability assessments and vulnerability management sound similar – but they’re not. As a new Enterprise Strategy Group white paper explains, it’s key to understand their differences and to shift from ad-hoc vulnerability assessments to continuous, risk-based vulnerability management (RBVM). Read...
- Vulnerability Scanning