Four million downloads of a vulnerable version of Log4j in four weeks, accounting for forty percent of all Log4j downloads. That could be much better.
A month ago, a serious vulnerability within Log4j, a popular open source tool for generating logs for applications built on Java, came to light. Called Log4Shell, it brutally woke up hundreds of thousands of organizations. State-sponsored hackers embraced the vulnerability, and even the Belgian Ministry of Defense was hit for a Log4Shell attack.
After a slew of updates, Log4j is safe today, but the vulnerability remains a popular target for hackers. You would think with such a serious problem as Log4Shell that developers would be wary, but according to The Register, four million more vulnerable versions of Log4j were downloaded after the leak was announced. That number accounted for 40 percent of all Log4j downloads.
Sonatype, administrator of the Apache Maven Central Repository, is concerned about that huge number of downloads. Ilkka Turunen, CTO of Sonatype: “It is not clear whether the downloads are for legacy software or to test versions, but it is clear that a lot of users keep downloading old versions. Possibly they don’t even know that the version is old and in this case very dangerous.”
Fortunately, some good news as well
Sonatype does stress that last weekend very many users (42 percent) specifically downloaded the latest version, Log4j version 2.17 and 2.17.1. All vulnerabilities were eliminated from Log4j version 2.15 and 2.16. This shows that users are downloading not just the patched version, but really the latest. Hopefully this trend will continue, as the vulnerability within Log4j is very critical.
Hopefully, by now you have already examined all your Java projects for the presence of Log4j and its associated vulnerability. If you haven’t, we recommend following our guide immediately.
read also