Skip to main content
close search
site logo
Dive Brief

Organizations still downloading vulnerable Log4j versions

Published Dec. 22, 2021
David Jones's headshot
Reporter
Laptop
iStock / Getty Images Plus via Getty Images

Dive Brief:

  • More than 40% of users continue to download vulnerable versions of Apache Log4j, despite urgent efforts to upgrade the software, according to Sonatype, which owns the Maven Central repository, which is considered the most significant repository of Java packages. 
  • "This is because so many companies simply have not covered the basics," Brian Fox, CTO of Sonatype, said via email. Fox says that many companies don't actually know what is in their applications so instead of launching targeted updates they are doing busy work. "In short, they are still trying to build their inventory before they start to react."
  • More than 17,000 Java packages, representing about 4% of the ecosystem, have been impacted by the Log4j vulnerabilities, according to an updated blogpost from Google's Open Source Insights Team. The revised figures are based on Log4j-core, after prior figures were calculated based on the original CVE, which included Log4j-core and Log4j-api. 

Dive Insight:

Open Source Insights is an experimental service that Google developed and hosts as a means of helping developers gain a better understanding of the structure and security of open source software packages. 

The recent Log4j vulnerability allows attackers to perform remote code execution by taking advantage of insecure Java Naming and Directory Interface (JNDI) lookups. 

As of Dec. 16, almost 36,000 of the available Java artifacts from Maven Central were dependent on the affected Log4j code. Those figures meant that 8% of all software packages on Maven Central had at least one version impacted by the code. That represented an enormous increase from the 2% average, Google said. 

The figures reflect an industry that is still scrambling to recover from what many see as a historic event in the information security space, as Log4j, which is found in hundreds of millions of devices worldwide, has been attacked by opportunistic threat actors looking to take advantage of a major vulnerability. 

Log4j versions beyond 2.0 is in the top 0.003 percentile of most popular downloads across Maven Central and is the standard logging framework of choice for most other Java Open Source components, according to Fox, as every other framework interoperates with the Log4j API. 

"The implication of this is that Log4j usage may be required transitively by your direct dependencies many levels deep," Fox said. "Modern build tools make it relatively easy to override the version used by its dependencies." 

However, two things must be true, Fox said: 

  • The update must be API compatible with a dependencies' usage.
  • An organization must know that they are actually using Log4j and in which application they need to apply the override.
Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell