35,000 Java Packages Impacted by the Log4j Vulnerabilities
Google says that more than 35,000 Java packages are currently impacted by the Log4j vulnerabilities, “with widespread fallout across the software industry.” This amounts to more than 8% of the Maven Central repository, which is considered the most significant Java package repository.
The vulnerabilities, which include the original Log4Shell (Log4j) exploit known as CVE-2021-44228 and a second remote code execution (RCE) flaw in the Log4Shell patch known as CVE-2021-45046, could allow threat actors to perform RCE attacks. These attacks can happen if the vulnerable JNDI lookups feature is exploited by the logging library log4j. The problem is that the exploitable feature was enabled by default in many versions of the library, Google explained.
The Log4j exploit “has captivated the information security ecosystem since its disclosure on December 9th because of both its severity and widespread impact,” Google noted. The popular logging tool is utilized by countless software packages and projects in the software field. The worst part is that patching the exploit is challenging due to the user’s lack of visibility into their dependencies and transitive dependencies. The entire impact of the exploit is also hard to captivate and determine.
So far, Google has discovered 35,863 of the available Java artifacts in Maven Central that depend of the vulnerable Log4j code. However, these numbers don’t correspond to all Java packages, including directly distributed binaries. However, “Maven Central is a strong proxy for the state of the ecosystem”.
“As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” Google added.
The somewhat good news
At the time of publishing their findings (December 17), Google estimated that nearly five thousand of the affected artifacts were fixed, representing “a rapid response and mammoth effort both by the log4j maintainers and the wider community of open source consumers.”
However, 30,000 artifacts are still affected, many of which are dependent on another artifact to patch, known as transitive dependency, and are likely blocked.
On a different note, the CVE-2021-44228 log4j exploit was recently abused by a novel ransomware group, known as Khonsari. The U.S. Cybersecurity and Infrastructure Security Agency was the one to make the disclosure of the active exploitation of the flaw.