Critical New 0-day Vulnerability in Popular Log4j Library Discovered | Read Blog

Log4j Exploit Updates

Log4j Download Dashboard

Log4j_Public_2021-12-18T0052 2

Latest Insights

1/6/22:

On Tuesday we saw a huge jump in consumption of 2.17.0 followed yesterday by a similar jump in 2.17.1. It's hard to explain this since .1 has been out for well over a week at this point. Why was everyone suddenly grabbing the .0 when .1 was available?

Taiwan and China are still consuming a massive amount of known vulnerable versions, and as can be seen on the bottom left graph, this has been fairly consistent since the start.

 

--Brian

1/6/22:

On Tuesday we saw a huge jump in consumption of 2.17.0 followed yesterday by a similar jump in 2.17.1. It's hard to explain this since .1 has been out for well over a week at this point. Why was everyone suddenly grabbing the .0 when .1 was available?

Taiwan and China are still consuming a massive amount of known vulnerable versions, and as can be seen on the bottom left graph, this has been fairly consistent since the start.

 

--Brian

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.

Read Now
Log4j Video Preview 2

Log4j Exploit Explained - Everything You Need to Know to Protect Yourself

Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.

Watch Now
image3-3

Critical Log4j Vulnerability Still Being Downloaded 40% of the Time

Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads. 

Watch Now 

Free Tools to Help You Now

Vulnerability- Scanner-icon-only-White + Color

Nexus Vulnerability Scanner

Produce a Software Bill of Materials and catalog all of the components in your application.

SCAN NOW
Lift-logo-icon-only-white

Sonatype Lift

Find and fix critical security, performance, reliability, and style issues in developer code.

TRY FOR FREE
OWASP-icon

OSS Index

Detect publicly disclosed vulnerabilities contained within your project’s dependencies

LEARN MORE

“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem.”

—Brian Fox, Sonatype CTO in The Daily Swig

Sonatype Updates

Critical New 0-day Vulnerability in Popular Log4j Library Discovered

BLOG

Critical New 0-day Vulnerability in Popular Log4j Library Discovered 

Read Now
Log4Shell Help for Central Publishers

ARTICLE

Log4Shell Help for Central Publishers

Read Now
Helping The Open Source Community Find, Fix, and Remediate Log4j

BLOG

Helping The Open Source Community Find, Fix, and Remediate Log4j

Read Now
Dissecting the Log4j Vulnerability

VIDEO

Dissecting the Log4j Vulnerability

Watch Now
All Log4j, logback bugs we know so far and why you MUST ditch 2.15

ARTICLE

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

Read Now
Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

Video

Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

Watch Now
Sonatype Log4j Community Forum

FORUM

Sonatype Log4j Community Forum

Join Now
Find and Fix Log4j with Sonatype

VIDEO

Find and Fix Log4j with Sonatype

Read Now

Have questions about Log4j? Ask the Sonatype community.

ASK NOW

Have questions about Log4j? Ask the Sonatype community.

ASK NOW

Sonatype Documentation & Research

CVE-2021-44228 (Critical):

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

CVE-2021-4104 (Moderate):

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).

CVE-2021-44228 (Critical):

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

CVE-2021-4104 (Moderate):

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).

CVE-2021-45046 (HIGH):

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0. 

Sonatype-2021-4517 aka CVE-2021-42550 (Moderate):

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591 

CVE-2021-45046 (HIGH):

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0. 

Sonatype-2021-4517 aka CVE-2021-42550 (Moderate):

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591 

Sonatype-2021-4560 (High):

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.

Sonatype-2021-4560 (High):

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.

“This is akin to someone figuring out mailing a letter into your post box with a specific address written on it allows them to open all your doors in your house.”

—Brian Fox, Sonatype CTO in BBC

Resources from around the Software Community

The Log4shell CVE from Mitre
Apache Foundation’s Log4j page with details
The Log4shell CVE from Mitre
Apache Foundation’s Log4j page with details
List of Affected Software compiled by Netherlands National Cybersecurity Center
Gartner Article for security leaders
List of Affected Software compiled by Netherlands National Cybersecurity Center
Gartner Article for security leaders

Ready to Try Sonatype?

Secure and automate your software supply chain.

Contact Us Today
Twitter LinkedIn Facebook YouTube GitHub
Products
Free Tools
Solutions
Resources
Customer Portal
Company
SON_logo_white@2x copy trimmed

Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759

Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102

Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia

London Office -168 Shoreditch High Street, E1 6HU London

Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners.

Terms of Service    Privacy Policy    Event Terms and Conditions   Do Not Sell My Personal Information