FULTON, Maryland, December 22, 2021 (GLOBE NEWSWIRE) – The open source component Log4j has been downloaded nearly five million times since a critical vulnerability was first discovered in it on December 10. Yet 40% of those downloads remain critically vulnerable known versions, according to new data released by Sonatype, the pioneer in smart and secure software supply chain automation.
As administrators of the Central Repository, the largest public repository of open source Java components, Sonatype has the unique ability to analyze patterns and practices related to the consumption and use of millions of open source libraries, including Log4j.
Consumption data related to Log4j has been compiled into a new Log4j Vulnerability Resource Center, a tool for tracking and publishing the latest findings and taking advantage of vulnerability updates. Sonatype experts update the resource center several times a day to reveal how the attack is rapidly mutating to infiltrate new corners of open source projects.
- Percentage of “positivity rate” of vulnerable downloads versus safe downloads, showing how the problem is improving or not
- Captures per hour of download volumes of specific versions of Log4j
- Hourly updates on download percentages by version
- Percentage of vulnerable and non-vulnerable downloads by country since vulnerability was discovered
“Log4j is one of the most popular Java projects on Maven Central and is the standard logging framework of choice for most of the other open source Java components, found in 7,000 projects,” said Brian Fox, co-founder and CTO. by Sonatype. “The good news is that we have seen very rapid adoption of enhanced versions in most parts of the world. However, data indicates that this adoption is not consistent globally and not complete, leaving 40% of ongoing downloads in vulnerable versions, with some parts of the world still getting vulnerable versions up to 80% of the time. “.
Free resources to stop the spread of Log4Shell
Sonatype has shared a number of free resources for the community, including the ability to easily scan applications for the Log4Shell vulnerability for free, whether you are an open source project maintainer, developer, or security professional.
The company has opened its long-standing enterprise-grade Nexus Intelligence data for the Log4Shell vulnerability, accessible on Sonatype’s free online intelligence platform OSS Index, its Sonatype Lift code analysis platform (free for open source projects) and third-party tools that use OSS Index Data, such as OWASP Dependency Check. Open source maintainers using the central repository can also generate a software bill of materials (SBOM) for all versions that they make available there.
Lastly, Sonatype offers an always free vulnerability scanner that you can download or use online. Not only will it alert you to all direct vulnerable versions of Log4j in your repositories, but Sonatype employs secondary expansion technology to find those transitive dependencies. It also goes beyond scanning manifests, using a proprietary advanced binary fingerprint to identify what is actually in components, including partially modified instances of those components.
“Our priority is to help our community of open source users secure their tools and make software supply chains more secure, period. As administrators of the Central Repository, Sonatype has made the scanning and analysis tools freely available to the community, and we are pleased to continue that commitment in our response to this historic vulnerability, “said Fox.” With the combination of dependencies Transitive and the number of variants of Log4j vulnerabilities, developers face an incredibly difficult challenge. It is imperative to help with remediation efforts; our team is here for the community. “
Sonatype is the full spectrum software supply chain automation company. We empower developers and security professionals with smart platform tools to innovate more securely at scale. Our platform addresses all elements of an organization’s complete software development lifecycle, including third-party open source code, proprietary source code, infrastructure as code, and containerized code. We help organizations develop high-quality and secure software that fully meets their business needs and those of their end customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already trust our tools and guidance to help them deliver and maintain exceptional and secure software.