According to Google’s open source team, a scan of Maven Central, the largest Java package repository, has revealed that 35,863 Java packages use a vulnerable version of the Apache Log4j library.
The recently disclosed log4j vulnerability affects more than 35,000 Java packages, representing more than 8% of the Maven Central repository (the most important Java package repository), and affects the entire software industry. The impact is felt throughout the software industry.
This vulnerability allows an attacker to remotely execute code by exploiting an insecure JNDI lookup feature exposed by the log library log4j. This exploitable feature was enabled by default in many versions of the library.
This includes Java packages that use a version of Log4j that is vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug found in the Log4Shell patch (CVE-2021-45046). package.
James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, state in their report that typically when a major security vulnerability in Java is discovered, it tends to affect only 2% of the Maven Central index. In their report, James Wetter and Nicky Ringland, members of the Java Critical Security Vulnerability Team, stated that typically when a critical security vulnerability is discovered in Java, it tends to affect only 2% of the Maven Central index.
However, the 35,000 Java packages vulnerable to Log4Shell represent about 8% of the 440,000 packages in all of Maven Central, a percentage that the two describe in one word: huge.
Patching Log4Shell is the first obstacle
Since the vulnerability was disclosed, however, the community has reacted aggressively and has already fixed 4,620 of the 35,863 packages that were initially found to be vulnerable.
This number corresponds to 13% of all vulnerable packages.
However, we don’t expect the problems with Log4Shell to be completely fixed for at least the next few years.
The main reason for this is that Log4j is not necessarily included as a direct dependency in the Java package, but is also a dependency of other dependencies (also called indirect dependencies).
In such a situation, software maintainers of vulnerable Java packages have to wait for other developers before updating their own apps, and in some cases this process can drag on for weeks or months.
According to Google, Log4j has direct dependencies on only 7,000 packages out of a total of 35,000 libraries, and many Java developers will likely have to switch their indirect dependencies that have not been updated to safe alternatives.
Currently, Java packages are considered safe if they use Log4j v2.16.0.
Comments