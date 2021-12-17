



Google’s open source team said it scanned Maven Central, the largest Java package repository today, and found that 35,863 Java packages used a vulnerable version of the Apache Log4j library.

This includes a Java package that uses a Log4j version that is vulnerable to the originalLog4Shellexploit (CVE-2021-44228) and a second remote code execution bug found in the Log4Shell patch (CVE-2021-45046). ..

James Wetter and Nicky Ringland, members of the Google Open Source Insights team, say today that major Java security flaws tend to affect only 2% of the Maven Central index.

However, the 35,000 Java packages vulnerable to Log4Shell make up about 8% of Maven Central’s total of about 440,000, and the two are described using the single word “huge.” ..

Log4Shell patching process hits first issue

However, since the vulnerability was disclosed last week, Wetter and Ringland said the community has been proactive and has already fixed 4,620 of the 35,863 packages that were initially determined to be vulnerable. ..

This number accounts for 13% of all vulnerable packages.

“This speaks to more effort from open source maintainers, information security teams, and consumers around the world than any other statistic,” Wetter and Ringland said today.

For comparison, the two cite similar statistics about past Java security flaws. Here, about 48% of the upstream and downstream libraries have been updated to fix the vulnerability.

However, they don’t expect the Log4Shell issue to be fully patched, at least for the next few years.

The main reason for this is that Log4j isn’t always included as a direct dependency in a Java package, it’s also a dependency of another dependency, also known as an indirect dependency.

In these situations, the maintainer of the vulnerable Java package would have to wait until other developers could update their app, and in some cases this process could take weeks or months. increase.

According to Google, Log4j relies directly on 7,000 packages out of a total of 35,000 libraries, and many Java developers need to switch indirect dependencies that haven’t been updated with secure alternatives. Currently, if the Java package uses Log4j v2.16.0, the Java package is considered safe.

Image: Google

Catalin Cimpanu is The Record’s cybersecurity reporter. He previously worked for ZDNet and Bleeping Computer. It has become famous in the industry for its constant investigation into new vulnerabilities, cyberattacks, and law enforcement measures against hackers.

