Many software out there are vulnerable to the Log4j flaw, and most administrators and security professionals don’t even know where to search for it. According to Google security, some 17,000 Java packages in the Maven Central repository, the largest collection of Java packages available to developers, are susceptible to Log4j. It’ll take “years” to resolve the problem throughout the ecosystem.
Following the CVE update that only Log4j-core was impacted, removing susceptible instances of the Log4j-API, Google Security discovered that over 17,000 packages in Maven Central were vulnerable as of Dec. 19, accounting for around 4% of the repository. Google said that just 25% of the programs had updated versions available. In a Tuesday blog post, Google researchers noted that the typical problem impacts between 2% and less than .01% of such products.
Sonatype, the company that runs Maven Central, has a dashboard updated multiple times a day with the latest on Log4j. It stated that over 40% of the packages downloaded since December 10 were still vulnerable, totaling roughly 5 million downloads. These are brand-new downloads that expose apps and projects to Log4j attacks.
As per Google, Log4j is hiding under “dependencies” on defective code (both direct and indirect) from the supply chain’s top to bottom. The experts stated that “how far down the software supply chain it’s typically deployed” makes these unpatched Log4j versions even more challenging to track down.
According to the research, the vulnerability affects over 80% of packages, with most being five layers down (and some as much as nine levels down). These packages will necessitate fixes throughout the tree, beginning with the deepest dependencies. As per Google, Java’s “soft” version constraints add to the difficulty of finding the Log4j issues.
Google noted that open-source maintainers and security teams have already made extraordinary efforts to repair systems in the face of these unique obstacles. However, a lot of work is yet to be done before Log4j is completely forgotten in the industry. To assist, Google has compiled a list of the 500 most most-used and affected Java code packages.