Log4Shell Potential Attack Surface Remains Significant

Log4Shell, sometimes referred to using the Log4j handle, after the name of the Apache Java library it was found in, has been called the software vulnerability of the decade by many analysts and security experts. The vulnerability was discovered at the very end of 2021. Four months down the road and dozens of warnings and alerts later, just how much safer is the global IT landscape when it comes to Log4Shell?

Report on Log4Shell not optimistic

A team of researchers with security firm Rezilion ran an analysis trying to estimate the potential attack surface of systems that are still vulnerable to Log4Shell. The vulnerability resides inside an older version of the hugely popular Apache logging library, running on Java. The findings of the Rezilion research team were not encouraging.

As one might expect, Rezilion too hoped that due to the endless stream of media coverage, articles, and alerts issued in the wake of Log4Shell's discovery, the overwhelming majority of instances running the vulnerable software would have long since been patched. However, the team's findings weren't as positive as they had hoped.

The Rezilion report on the potential attack surface analysis calls the global Log4Shell situation "far from ideal". Using the specialized Shodan engine, the team scanned for outdated versions of software and servers vulnerable to Log4Shell. The result was a staggering 90,000 vulnerable points, exposed to the Internet. According to the research team, this number, even though already significant, is just "the tip of the iceberg", compared to what is likely the full potential attack surface for Log4Shell.

Minecraft servers were singled out as an entirely separate category in the research report, due to the huge popularity of the Microsoft-owned game.

The Log4Shell long game

Threat actors have been on the prowl within hours of the discovery of the vulnerability, knowing that the huge number of devices running the Java logging framework containing the flaw will take a lot of time to patch. New methods and attempts to approach the vulnerability in different ways were springing up every week since the flaw's discovery.

While the attack surface for a vulnerability this widespread will likely never disappear entirely, the numbers are still worrying and more attempts to exploit Log4Shell are to be expected in the coming months.