Google’s open-source team said they scanned Maven Central, today’s largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046). James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, said in a report today that typically when a major Java security flaw is found, it typically tends to affect only 2% of the Maven Central index. However, the 35,000 Java packages vulnerable to Log4Shell account to roughly 8% of the Maven Central total of ~440,000, a percentage the two described using just one word — “enormous.” But since the vulnerability was disclosed last week, Wetter and Ringland said the community has responded positively and has already fixed 4,620

Link to original post https://tech.slashdot.org/story/21/12/20/1930214/more-than-35000-java-packages-impacted-by-log4j-vulnerabilities-google-says?utm_source=rss1.0mainlinkanon&utm_medium=feed from Teknoids News

Read the original story