Monday, February 10, 2025
Homecyber securityOver 35,000 Java Packages Impacted by Flaws in The Apache Log4j library

Over 35,000 Java Packages Impacted by Flaws in The Apache Log4j library

Published on

SIEM as a Service

Follow Us on Google News

More than 35,000 Java packages are impacted by the security flaws that use vulnerable versions of the Apache Log4j library as warned by Google.

During the routine checkup, the Google Open Source Team recently scanned the largest Java package repository where they detected 35,863 vulnerable packages of the Apache Log4j library.

This amount is not small since it counts to the 8% of the total and they all are using the Apache Log4j library that is vulnerable to:-

However, when a significant Java vulnerability was detected it has been noted that it only affects the 2% of the Maven Central index.

Spread of log4j vulnerability

Since the unveiling of the log4j vulnerability, the community has already fixed 4,620 vulnerable packages out of the 35,863 vulnerable packages. And it clearly depicts that how the massive effort was taken by the following entities:-

  • Open-source community
  • Open-source maintainers
  • Information security teams
  • Consumers across the globe

However, at least one version is impacted by this vulnerability among 8% of all the affected packages on Maven Central. 

While any version that depends upon an impacted version of the log4j-core or log4j-api is illustrated in the CVEs. But, why does this happen? This happens due to the direct dependencies accounting for around 7,000 of the vulnerable artifacts.

Here, the log4j is not explicitly represented as a dependency of the artifact since the concerned artifacts arrive from indirect dependencies, and then later as a transitive dependency, they get dragged in.

Fixing the open-source JVM ecosystem

The affected artifacts were updated to 2.16.0 and removed its dependency on log4j altogether, so, here all the affected artifacts will be considered to be fixed.

Right now, more than 5000 affected artifacts were already fixed and the rapid effort of all the log4j maintainers shows that how promptly they are acting and how wider their community of open source consumers is.

It’s hard fixing the JVM ecosystem

Since the maximum number of artifacts are dependent on log4j indirectly, so, for this reason in a dependency chain they become quite deeper. In short, more and more steps are required to fix this vulnerability, as they become deeper.

However, to avoid being victims of cyber attacks of this type the most suitable option is to fix these problems, and here’s it’s possible to do so by updating your current version to version 2.17.0.

Apart from this, along with the latest patched version it’s also recommended to update your operating system, browser, or any program that you use.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...