Understanding the Impact of Apache Log4j Vulnerability (Google)

The Google Security Blog looksinto the ripple effects of the Log4j vulnerability.

Most artifacts that depend on log4j do so indirectly. The deeperthe vulnerability is in a dependency chain, the more steps arerequired for it to be fixed. The following diagram shows ahistogram of how deeply an affected log4j package (core or api)first appears in consumers dependency graphs. For greater than 80%of the packages, the vulnerability is more than one level deep,with a majority affected five levels down (and some as many as ninelevels down). These packages will require fixes throughout allparts of the tree, starting from the deepest dependencies first.