Thursday, March 28, 2024

Over 35,000 Java Packages Impacted by Flaws in The Apache Log4j library

More than 35,000 Java packages are impacted by the security flaws that use vulnerable versions of the Apache Log4j library as warned by Google.

During the routine checkup, the Google Open Source Team recently scanned the largest Java package repository where they detected 35,863 vulnerable packages of the Apache Log4j library.

This amount is not small since it counts to the 8% of the total and they all are using the Apache Log4j library that is vulnerable to:-

However, when a significant Java vulnerability was detected it has been noted that it only affects the 2% of the Maven Central index.

Spread of log4j vulnerability

Since the unveiling of the log4j vulnerability, the community has already fixed 4,620 vulnerable packages out of the 35,863 vulnerable packages. And it clearly depicts that how the massive effort was taken by the following entities:-

  • Open-source community
  • Open-source maintainers
  • Information security teams
  • Consumers across the globe

However, at least one version is impacted by this vulnerability among 8% of all the affected packages on Maven Central. 

While any version that depends upon an impacted version of the log4j-core or log4j-api is illustrated in the CVEs. But, why does this happen? This happens due to the direct dependencies accounting for around 7,000 of the vulnerable artifacts.

Here, the log4j is not explicitly represented as a dependency of the artifact since the concerned artifacts arrive from indirect dependencies, and then later as a transitive dependency, they get dragged in.

Fixing the open-source JVM ecosystem

The affected artifacts were updated to 2.16.0 and removed its dependency on log4j altogether, so, here all the affected artifacts will be considered to be fixed.

Right now, more than 5000 affected artifacts were already fixed and the rapid effort of all the log4j maintainers shows that how promptly they are acting and how wider their community of open source consumers is.

It’s hard fixing the JVM ecosystem

Since the maximum number of artifacts are dependent on log4j indirectly, so, for this reason in a dependency chain they become quite deeper. In short, more and more steps are required to fix this vulnerability, as they become deeper.

However, to avoid being victims of cyber attacks of this type the most suitable option is to fix these problems, and here’s it’s possible to do so by updating your current version to version 2.17.0.

Apart from this, along with the latest patched version it’s also recommended to update your operating system, browser, or any program that you use.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles