The Log4j Flaw Will Take Years to be Absolutely Addressed

Greater than 80% of Java packages affected by the vulnerability within the Apache Log4j library can’t be up to date straight, and would require coordination between totally different mission groups to handle the flaw.

Shortly after the primary vulnerability within the Apache Log4j library (CVE-2021-44228) was disclosed, Google’s Open Supply Insights Group surveyed all of the Java packages within the Maven Central Repository “to find out the scope of the problem within the open supply ecosystem of JVM primarily based languages, and to trace the continuing efforts to mitigate the affected packages,” say crew members James Wetter and Nicky Ringland. The crew estimates it might take years earlier than the vulnerability is totally addressed throughout the Java ecosystem.

A important a part of the issue has to do with oblique dependencies. Direct dependencies, or the circumstances the place bundle explicitly pulls log4j into the code, are comparatively simple to repair, because the developer or mission proprietor simply has to replace log4j to the most recent model. 

Many packages pull in another library which calls log4j, which is an oblique dependency. In that case, the bundle proprietor has to attend for the maintainer of that library to replace log4j within the library code and launch an up to date model, which can then be used to replace the bundle.

“The deeper the vulnerability is in a dependency chain, the extra steps are required for it to be fastened,” Wetter and Ringland notice.

With roughly 440,000 Java packages, Maven Central is the biggest and most important bundle repository for Java purposes, and gives an correct evaluation of the ecosystem, say Wetter and Ringland. The crew discovered 35,863 Java packages utilizing weak variations of log4j (log4j-core and log4j-api), or roughly 8% of Java packages in Maven Central. When the crew re-ran the scan to take a look at solely packages utilizing log4j-core, over 17,000 affected packages had been discovered, or roughly 4% of the ecosystem.

Contemplate that at any time when a significant Java safety flaw is discovered, it usually impacts solely 2% of the packages on Maven Central. The impression the Log4j flaw could have on the Java ecosystem is “huge,” say Wetter and Ringland.

1000’s of bundle have already been fastened — “a fast response and mammoth effort each by the log4j maintainers and the broader group of open supply shoppers,” notice Wetter and Ringland.