Organizations still downloading vulnerable Log4j versions

Dive Summary:

  • More than 40% of users continue to download vulnerable versions of Apache Log4j, despite urgent efforts to update the software, according to Sonatype, which owns the Maven Central repository, which is considered the most important repository for Java packages.
  • “This is because a lot of companies just haven’t covered the basics,” Brian Fox, Sonatype’s chief technology officer, said by email. Fox says that many companies don’t really know what is in their applications, so instead of releasing specific updates, they are doing intense work. “In short, they are still trying to build their inventory before they start reacting.”
  • More than 17,000 Java packages, representing about 4% of the ecosystem, have been affected by the Log4j vulnerabilities, according to an update blog post from the Google Open Source Insights team. The revised figures are based on Log4j-core, after the above figures were calculated based on the original CVE, which included Log4j-core and Log4j-api.

Dive Insight:

Open Source Insights is an experimental service that Google developed and hosts as a means to help developers better understand the structure and security of open source software packages.

The recent vulnerability in Log4j allows attackers to perform remote code execution by taking advantage of insecure lookups from the Java Naming and Directory Interface (JNDI).

As of December 16, nearly 36,000 of the available Maven Central Java artifacts relied on affected Log4j code. Those figures mean that 8% of all software packages in Maven Central had at least one version affected by the code. That represented a huge increase from the average 2%, Google said.

The figures reflect an industry that is still struggling to recover from what many see as a landmark event in the information security space, as Log4j, found on hundreds of millions of devices around the world, has been attacked by opportunistic threat actors looking to take advantage of a great vulnerability.

Versions of Log4j after 2.0 are in the top 0.003 percentile of the most popular downloads on Maven Central and is the standard logging framework of choice for most other open source Java components, according to Fox, since all the other frameworks interact with the Log4j API.

“The implication of this is that the use of Log4j may be transitively required by its direct dependencies at many levels deep,” said Fox. “Modern compilation tools make it relatively easy to override the version used for its dependencies.”

However, two things must be true, Fox said:

  • The update must be API compliant with the use of dependencies.
  • An organization needs to know that it is actually using Log4j and in which application it needs to apply the override.

Leave a Comment