Over 35,000 Java Packages Impacted by Flaws in The Apache Log4j library

More than 35,000 Java packages are impacted by the security flaws that use vulnerable versions of the Apache Log4j library as warned by Google.

During the routine checkup, the Google Open Source Team recently scanned the largest Java package repository where they detected 35,863 vulnerable packages of the Apache Log4j library.

This amount is not small since it counts to the 8% of the total and they all are using the Apache Log4j library that is vulnerable to:-

• CVE-2021-44228 – Log4Shell exploit
• CVE-2021-45046 – RCE

However, when a significant Java vulnerability was detected it has been noted that it only affects the 2% of the Maven Central index.

Spread of log4j vulnerability

Since the unveiling of the log4j vulnerability, the community has already fixed 4,620 vulnerable packages out of the 35,863 vulnerable packages. And it clearly depicts that how the massive effort was taken by the following entities:-

• Open-source community
• Open-source maintainers
• Information security teams
• Consumers across the globe

However, at least one version is impacted by this vulnerability among 8% of all the affected packages on Maven Central. 

While any version that depends upon an impacted version of the log4j-core or log4j-api is illustrated in the CVEs. But, why does this happen? This happens due to the direct dependencies accounting for around 7,000 of the vulnerable artifacts.

Here, the log4j is not explicitly represented as a dependency of the artifact since the concerned artifacts arrive from indirect dependencies, and then later as a transitive dependency, they get dragged in.

Fixing the open-source JVM ecosystem

The affected artifacts were updated to 2.16.0 and removed its dependency on log4j altogether, so, here all the affected artifacts will be considered to be fixed.

Right now, more than 5000 affected artifacts were already fixed and the rapid effort of all the log4j maintainers shows that how promptly they are acting and how wider their community of open source consumers is.

It’s hard fixing the JVM ecosystem

Since the maximum number of artifacts are dependent on log4j indirectly, so, for this reason in a dependency chain they become quite deeper. In short, more and more steps are required to fix this vulnerability, as they become deeper.

However, to avoid being victims of cyber attacks of this type the most suitable option is to fix these problems, and here’s it’s possible to do so by updating your current version to version 2.17.0.

Apart from this, along with the latest patched version it’s also recommended to update your operating system, browser, or any program that you use.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.