Mirroring the explosive growth of open source software, analysis around open source vulnerabilities continues to dominate headlines. However, in an alarming trend, many security vendors have begun citing stats that downplay risk to amplify their services, like the recent statistic that “96% of Log4j in use…was not vulnerable to the Log4Shell zero-day.” At first glance this seems like a great result – now you only have to worry about fixing 4% of your applications! However, once you understand how such vulnerability analyses are performed and how exploitability progresses, the idea of having known vulnerable libraries included in your applications tends to become very uncomfortable. In fact, recommending that high-severity open source vulnerabilities be left in application code is more than irresponsible - it’s dangerous.
Article Link: Despite What Some Vendors Say, Please Don’t Ignore Log4j