More than 35,000 Java packages impacted by Log4j flaw, Google warns

Google found more than 35,000 Java packages in the Maven Central repository that are impacted by flaws in the Apache Log4j library.

The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.

“More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry.” reads the report published by Google. “As far as ecosystem impact goes, 8% is enormous.”

The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.

The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.

“The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. The following diagram shows a histogram of how deeply an affected log4j package (core or api) first appears in consumers dependency graphs.” reads the post published by the researchers. “For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down). These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”

But since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).

How long will it take for this vulnerability to be fixed across the entire ecosystem?

It is not easy to answer this question, the experts analyzed the time spent to fix flaws reported in critical advisories affecting Maven packages and determined that only 48% of the artifacts affected by a vulnerability have been fixed.

Despite the rush in fixing Log4J in the last few days, the overall process could take several years.

“As part of our investigation, we pulled together a list of 500 affected packages with some of the highest transitive usage. If you are a maintainer or user helping with the patching effort, prioritizing these packages could maximize your impact and unblock more of the community.We encourage the open source community to continue to strengthen security in these packages by enabling automated dependency updates and adding security mitigations.” concludes Google.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, log4J)

[adrotate banner=”5″]

[adrotate banner=”13″]