Type Here to Get Search Results !

Log4j defects will take years to fully resolve

Log4j defects will take years to fully resolve

More than 80% of the Java packages affected by the vulnerability in the Apache Log4j library cannot be directly updated, and different project teams need to coordinate to resolve the vulnerability.

Soon after the first vulnerability appeared in the Apache Log4j library (CVE-2021-44228) Is disclosed, Google’s open source insight team Investigated all Java packages Maven Central Repository Team members James Wetter and Nicky Ringland said: “Identify the scope of the problem in the JVM language-based open source ecosystem and track the ongoing efforts to mitigate the affected packages.” The team estimates that it may take several minutes to fully resolve the vulnerability in the Java ecosystem. Years.

A large part of the problem is related to indirect dependence. It is relatively easy to fix the situation where log4j is directly dependent, or the package explicitly pulls log4j into the code, because the developer or project owner only needs to update log4j to the latest version.

Many packages introduce other libraries that call log4j, which is an indirect dependency. In this case, the package owner must wait for the maintainer of the library to update log4j in the library code and release an updated version, which will then be used to update the package.

“The deeper the vulnerability is in the dependency chain, the more steps are required to fix it,” Wetter and Ringland pointed out.

Wetter and Ringland said that Maven Central has approximately 440,000 Java packages, is the largest and most important package repository for Java applications, and provides an accurate assessment of the ecosystem. The team found 35,863 Java packages using vulnerable log4j versions (log4j-core and log4j-api), which accounted for approximately 8% of the Java packages in Maven Central. When the team re-ran the scan to view only the packages that used log4j-core, it found more than 17,000 affected packages, accounting for approximately 4% of the ecosystem.

Consider that whenever a major Java security vulnerability is discovered, it usually only affects 2% of the packages on Maven Central. Wetter and Ringland said that the impact of Log4j’s flaws on the Java ecosystem is “enormous.”

Wetter and Ringland pointed out that thousands of packages have been fixed-“the rapid response and tremendous efforts of log4j maintainers and the wider open source consumer community”.

Read More..

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

Top Post Ad

Below Post Ad