Google: More than 35,000 Java packages impacted by Log4j vulnerabilities

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library.

This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046).

James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, said in a report today that typically when a major Java security flaw is found, it typically tends to affect only 2% of the Maven Central index.

However, the 35,000 Java packages vulnerable to Log4Shell account to roughly 8% of the Maven Central total of ~440,000, a percentage the two described using just one word—"enormous."

Log4Shell patching process hits first snags

But since the vulnerability was disclosed last week, Wetter and Ringland said the community has responded positively and has already fixed 4,620 of the 35,863 packages they initially found vulnerable.

This number accounts to 13% of all the vulnerable packages.

"This, more than any other stat, speaks to the massive effort by open source maintainers, information security teams and consumers across the globe," Wetter and Ringland said today.

For comparison, the two cite similar stats for past Java security flaws, where roughly 48% of upstream and downstream libraries are updated to fix vulnerabilities.

However, the two don't expect the Log4Shell issue to be patched in full, at least for years to come.

The main reason for this is because Log4j isn't always included as a direct dependency inside Java packages but is also a dependency of another dependency, also known as indirect dependency.

In these situations, maintainers of vulnerable Java packages have to wait on other developers before they can update their own apps, prolonging this process for weeks and months, in some cases.

According to Google, Log4j is a direct dependency in only 7,000 packages of the total 35,000 libraries, and many Java developers will most likely have to switch out indirect dependencies that haven't been updated with safe alternatives. Currently, a Java package is considered safe if it uses Log4j v2.16.0.