2021 Sets Record for Most Vulnerabilities Disclosed

Today, the 2021 Year End Vulnerability QuickView Report, from Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security, was released. Powered by VulnDB, this report details trends in vulnerabilities for the year, and features a viewpoint from Flashpoint’s Global Threat Intelligence Team on the year’s most significant vulnerability: Log4Shell. 

Vulnerability disclosures recover from Covid

After a steady rise each year in the number of vulnerabilities reported, 2020 nearly broke the pattern, showing a marked drop in disclosed vulnerabilities in Q1. However, 2021 numbers indicate that the vulnerability landscape is back on the upswing, with a record-setting 28,695 disclosed vulnerabilities, according to our records.

Keeping pace

“Patch Tuesdays”—the second Tuesday of each month where major vendors release all patches at once—were particularly difficult for security teams to keep up with. Data shows that there was a high correlation between Patch Tuesdays and the number of vulnerabilities reported, emphasizing the burden placed on risk mitigation teams by this practice.

Notably, several spikes in disclosures occurred outside of these routine patch days, with April 20, claiming 287 reported vulnerabilities—good for the seventh highest spot for the number of disclosures in a single day in 2021. 

Log4Shell becomes the second-largest mega-vulnerability

Log4Shell has grown rapidly since it was discovered in late 2021, with over 1,850 vulnerability references to it and its variants (the highest among mega-vulnerabilities), and over 6,200 vendor/product combinations affected. At its current pace, it is expected to overtake POODLE, which currently holds the top spot for mega-vulnerabilities in VulnDB with the most vendor/product combinations affected, within the next month. 

Of the approximately 6,200 vendor/product combinations currently affected by Log4Shell, over 275 are unique vendors and 1,677 unique products, signaling that some organizations have been impacted multiple times. 

Soon after its disclosure in December, Flashpoint’s Global Threat Intelligence team identified a thread on XXS, a top-tier Russian-language hacking forum, discussing Log4Shell-related activity. The majority of the information contained in this thread was traced by Flashpoint analysts to GitHub repositories, which were initially deleted by GitHub. However, threat actors posted cloned repositories with Log4Shell proof-of-concept exploits in response, before GitHub could remove them. Information about Log4Shell was also found by Flashpoint analysts on English-language illicit community Raid Forums, but the heightened attention the magnitude of this vulnerability was drawing from law enforcement led to the removal of threads discussing it.

Public databases fall short

Of the over 28,000 disclosed vulnerabilities in 2021, 29 percent of them were not assigned a CVE ID, while 4 percent have CVE IDs but are in RESERVED status, meaning there is no actionable information attached to them. 

With a third of disclosed vulnerabilities not being reported by CVE/NVD, organizations’ visibility into remotely exploitable vulnerabilities that have a public exploit and a documented solution was impacted. As a result, this hindered their ability to focus on these vulnerabilities first, which is considered best practice and can potentially reduce an organization’s risk and immediate workload by 86 percent. 

The 2021 Year End Vulnerability QuickView Report covers vulnerabilities disclosed between January 1, 2021 and December 31, 2021.

Click here to download your free copy of the 2021 Year End Vulnerability Report from Risk Based Security.