30% of Apache Log4j Security Holes Remain Unpatched

The open source Java logging library Apache Log4j, which is used extensively, has been rated 10.0 CVSSv3 on the National Vulnerability Database, the worst possible score. Despite this, it has only been 70% patched according to Qualys, leaving 30% of instances vulnerable to exploitation. Qualys has reported successful ransomware attacks. More than 50% of programs with Log4j are out of support, increasing the risk. Qualys has released a Log4j scanning utility to aid users.