Four million downloads of a vulnerable version of Log4j in four weeks, which is 40 percent of all Log4j downloads. It could be much better.
A month ago A serious vulnerability has been exposed in Log4j, a popular open source tool for creating logs for Java-based applications. under name Log4Shell Hundreds of thousands of organizations savagely woke up. State-sponsored hackers embracing weakness even Belgian Ministry of Defense injured for Log4Shell attack.
after All series by Updates Log4j is secure today, but the vulnerability remains a Popular target for pirates. You might think with such a serious problem as Log4Shell developers would be wary, but according to record Four million more copies of Log4j were downloaded after the leak was announced. This number represents 40 percent of all Log4j downloads.
Sonatype, the manager of the central Apache Maven repository, is concerned about the huge number of downloads. Ilkka Turunen, Head of Technology at Sonatype: “It is not clear whether the downloads are old software or beta versions, but it is clear that many users keep downloading old versions. They may not even know that the version is outdated and very dangerous in this case.”
Fortunately, there is also good news
Sonatype confirms that last weekend a lot of users (42 percent) downloaded the latest version, Log4j versions 2.17 and 2.17.1. All vulnerabilities have been eliminated from Log4j version 2.15, 2.16 and later. This shows that users are not only downloading the patched version, but actually downloading the latest version. We hope this trend continues because the vulnerability within Log4j is very critical.
Hopefully by now you have already checked all of your Java projects for the presence of Log4j and the associated vulnerability. If you have not done so yet, we advise you to do so immediately Follow our guide.
Read also
