The vulnerability in logging library Log4j will reverberate for years to come. Research shows how tens of thousands of projects worldwide contain vulnerable components. A simple fix does not exist.
Log4Shell, the vulnerability in the open source logging library Log4j, will be felt for years to come. That is in part because it is not always clear to IT professionals whether they are using software or components that integrate Log4j. After all, the library itself is a popular component of software worldwide. Large organizations like VMware are up to speed and work quickly on patches, but what about less obviously supported software?
Under the radar
Google previously discovered that about 17,000 packages in the Maven Central Repository for Java are vulnerable. Security firm JFrog, meanwhile, went looking for other packages that incorporate Log4j code directly, i.e., not as a classic dependency. That’s a less common scenario, but JFrog still discovered about 400 new vulnerable components in Maven Central.
read also
Digital logistics chain vulnerable to Log4Shell for years to come
The discovery shows that looking for software that uses the vulnerable library is insufficient. To be sure, you actually have to scan for the vulnerable code itself. That, of course, is a lot more complex, and immediately illustrates why security researchers worldwide fear that Log4Shell will serve as a loophole for hackers for many years to come.