Four million downloads of a vulnerable version of Log4j in four weeks, accounting for 40 percent of all Log4j downloads. That could be much better.
A month ago A serious vulnerability was revealed in Log4j, a popular open source tool for generating logs for applications built on Java. Under the name of Log4Shell hundreds of thousands of organizations were brutally awakened. State sponsored hackers embraced the vulnerability and even the Belgian Ministry of Defense was hit for a Log4Shell attack.
After a all series by updates is Log4j safe today, but the vulnerability remains a popular target for hackers. You would think with such a serious problem as Log4Shell developers would be wary, but according to The Register Four million more vulnerable versions of Log4j were downloaded after the leak was announced. That number accounted for 40 percent of all Log4j downloads.
Sonatype, administrator of the Apache Maven Central Repository, is concerned about the huge number of downloads. Ilkka Turunen, CTO of Sonatype: “It is not clear whether the downloads are for legacy software or for testing versions, but it is clear that many users continue to download old versions. They may not even know that the version is old and very dangerous in this case.”
Fortunately, there is also good news
Sonatype emphasizes that last weekend a lot of users (42 percent) specifically download the latest version, Log4j version 2.17 and 2.17.1. All vulnerabilities were eliminated from Log4j version 2.15 and 2.16 onwards. This shows that users are not just downloading the patched version, but really the latest one. Hopefully this trend will continue, because the vulnerability within Log4j is very critical.
Hopefully by now you have already examined all your Java projects for the presence of Log4j and the associated vulnerability. If you have not yet done so, we recommend that you immediately follow our guide.
read also
What is Log4Shell and why is the bug so dangerous?
–
