Freely subscribe to our NEWSLETTER

LoNg4j can take as long as 15 hours to discover in contrast to traditional Log4j vulnerability, and reveals that organisations are potentially at risk from the vulnerability for years to come. The CQ Prime Threat Research team searched for Log4j and LoNg4j vulnerabilities in the world’s Top 50 most used companies and websites. As of April 29, 2022, an initial scan found at least 10% of the websites were vulnerable to Log4j but when exposed to more persistent analysis, that number went up 300%, indicating the potential existence of the LoNg4j vulnerability.

While testing customers’ applications to validate their Log4j patches, Cequence Security discovered these were still responding as vulnerable to the Log4j vulnerability. With one customer, the number of Log4j vulnerabilities on patched applications went from 10 vulnerable systems, to 8, then 6, and then suddenly 14 vulnerable systems. In total, 38 vulnerable systems were found that contained the Log4j vulnerability, This was because each of the applications that responded back with a positive confirmation was using a popular 3rd-party log storage and analysis cloud service. The 3rd-party log storage and analysis service were still using an unpatched Log4j logging component somewhere within their service but did not realize that they had the vulnerability.

LoNg4j illustrates how interconnected modern enterprise IT infrastructure is and how this digital supply chain extends far beyond the known applications. Today’s businesses are layered with software that has been written using open-source software, 3rd-party software and API-driven cloud software services, helping to ensure that software can be written and deployed quickly. Unfortunately, these pieces of software often pull along with it, the vulnerabilities that exist within those 3rd-party components. What has resulted is a far-reaching digital supply chain with potentially vulnerable applications running across thousands of organizations. Most security and IT teams probably do not know the full scope and severity of the security blind spots that exist within their organisation with LoNg4j.

Cequence expect that, even with extensive patching programs, Log4Shell will continue to remain a hidden risk for many years to come and makes the following recommendations:

Expand testing parameters to include 3rd-party targets in your digital supply chain
Use all available methods of detection and ensure outbound DNS requests are monitored
Lengthen testing timeframes up to 24 hours to accommodate supply chain traversal including any log analysis or event correlation