Friday, May 9, 2025
Homecyber securityOver 35,000 Java Packages Impacted by Flaws in The Apache Log4j library

Over 35,000 Java Packages Impacted by Flaws in The Apache Log4j library

Published on

SIEM as a Service

Follow Us on Google News

More than 35,000 Java packages are impacted by the security flaws that use vulnerable versions of the Apache Log4j library as warned by Google.

During the routine checkup, the Google Open Source Team recently scanned the largest Java package repository where they detected 35,863 vulnerable packages of the Apache Log4j library.

This amount is not small since it counts to the 8% of the total and they all are using the Apache Log4j library that is vulnerable to:-

- Advertisement - Google News

However, when a significant Java vulnerability was detected it has been noted that it only affects the 2% of the Maven Central index.

Spread of log4j vulnerability

Since the unveiling of the log4j vulnerability, the community has already fixed 4,620 vulnerable packages out of the 35,863 vulnerable packages. And it clearly depicts that how the massive effort was taken by the following entities:-

  • Open-source community
  • Open-source maintainers
  • Information security teams
  • Consumers across the globe

However, at least one version is impacted by this vulnerability among 8% of all the affected packages on Maven Central. 

While any version that depends upon an impacted version of the log4j-core or log4j-api is illustrated in the CVEs. But, why does this happen? This happens due to the direct dependencies accounting for around 7,000 of the vulnerable artifacts.

Here, the log4j is not explicitly represented as a dependency of the artifact since the concerned artifacts arrive from indirect dependencies, and then later as a transitive dependency, they get dragged in.

Fixing the open-source JVM ecosystem

The affected artifacts were updated to 2.16.0 and removed its dependency on log4j altogether, so, here all the affected artifacts will be considered to be fixed.

Right now, more than 5000 affected artifacts were already fixed and the rapid effort of all the log4j maintainers shows that how promptly they are acting and how wider their community of open source consumers is.

It’s hard fixing the JVM ecosystem

Since the maximum number of artifacts are dependent on log4j indirectly, so, for this reason in a dependency chain they become quite deeper. In short, more and more steps are required to fix this vulnerability, as they become deeper.

However, to avoid being victims of cyber attacks of this type the most suitable option is to fix these problems, and here’s it’s possible to do so by updating your current version to version 2.17.0.

Apart from this, along with the latest patched version it’s also recommended to update your operating system, browser, or any program that you use.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...