Java Code Repository Riddled with Hidden Log4j Bugs; Here's Where to Look

upstart writes:

Java Code Repository Riddled with Hidden Log4j Bugs; Here's Where to Look:

About 17,000 Java packages in the Maven Central repository, the most significant collection of Java packages available to developers, are vulnerable to Log4j - and it will likely take "years" for it to be fixed across the ecosystem, according to Google security.

Following the CVE update that just Log4j-core was affected, eliminating vulnerable instances of the Log4j-api, Google Security determined that as of Dec. 19, more than 17,000 packages in Maven Central were vulnerable, about 4 percent of the entire repository. Of those, just 25 percent of the packages had updated versions available, Google added.

For comparison, the Google researchers explained in a Tuesday blog post that the average bug affects between 2 percent and less than .01 percent of such packages.

Sonatype, the organization which maintains Maven Central, has a dashboard that's updated several times a day with the latest on Log4j and reported that since Dec. 10, more than 40 percent of the packages being downloaded were still vulnerable, totaling nearly 5 million downloads.

[...] "The majority of affected artifacts come from indirect dependencies (that is, the dependencies of one's own dependencies), meaning Log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency," the Google team said.

Making these unpatched Log4j versions even sneakier to track down is "how far down the software supply chain it's typically deployed," the analysts added.

Read more of this story at SoylentNews.