"Over 40% of Log4j Downloads Are Vulnerable Versions of the Software"

After the Apache Foundation disclosed and fixed the Log4j vulnerability, over 4 in 10 downloads of the logging tool from the Maven Central Java package repository remained vulnerable versions. A dashboard launched by the Maven Central administrator Sonatype after news of the Log4Shell flaw surfaced reveals that 41 percent of Log4j packages downloaded between February 4 and March 10, 2022, are versions before Log4j 2.15.0, which is the patched version of the logging tool that the Apache Foundation released on December 10, 2021, when the flaw was first disclosed. The Apache Foundation then issued two other updates to fix two subsequent and relatively less severe vulnerabilities found in the logging tool shortly after the Log4Shell disclosure. Sonatype's dashboard showed more than 31.4 million downloads of Log4j in total since December 10, 2021. It remains unknown how many of those downloads were vulnerable versions. However, the latest download statistics suggest that the number could be near or above 10 million. It is still unclear as to why organizations and developers are downloading known vulnerable versions of Log4j packages, and why are those versions are still available for download. Travis Smith, vice president of malware threat research at Qualys, has pointed out a couple of potential reasons for the continued downloads, with the first being that automated build systems are configured to download a specific version build of their dependencies. Lesser-maintained projects often automatically download a specific version to avoid conflicts with updated software, and if the maintainer of that software has not been following news about Log4j, their application is likely to be left open to the risk of exploitation. Another possible reason for the high number of vulnerable Log4j downloads could be that researchers are testing defenses, and adversaries are testing their exploits. Smith and others have said that vulnerable Log4j packages remain available for download via Maven Central because of software dependencies. Many pieces of software still rely on the vulnerable versions of Log4j, and therefore, suddenly removing them could cause systems to malfunction. This article continues to discuss why vulnerable versions of Log4j packages are still being downloaded and why vulnerable Log4j versions remain available for download. 

Dark Reading reports "Over 40% of Log4j Downloads Are Vulnerable Versions of the Software"