Log4j Updates and Vulnerability Resources

Log4J Overview

At the heart of the digital landscape, security is paramount. In the wake of the Log4j exploit, our commitment to safeguarding the online world has never been stronger. As the stewards of Maven Central, our teams are working around the clock to ensure that the world has reliable and fast access to the latest Log4shell fixes. In this digital age where data breaches, vulnerabilities, and malware are a fairly common occurrence, our mission is clear: to provide you with the tools and information needed to fortify your digital defenses. Explore insights from our 10th Annual Software Supply Chain Report.

Log4J Percent Monthly Central Downloads

Downloads of vulnerable versions of Log4J still greater than 10% nearly three years after fixes were available.

Sonatype Vulnerability Scanner

Product a Software Bill of Materials and catalog all of the components in your application.

Scan Now

OSS Index

Detect publicly disclosed vulnerabilities contained within your project's dependencies.

Get Started

Sonatype Documentation & Research

CVE-2021-44228
CVE-2021-4104
CVE-2021-45046
CVE-2021-42550
SONATYPE-2021-4560

CVE-2021-44228

CRITICAL

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

CVE-2021-4104

MODERATE

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).

CVE-2021-45046

HIGH

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.

SONATYPE-2021-4517 AKA CVE-2021-42550

MODERATE

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue.

SONATYPE-2021-4560

HIGH

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.

FAKE 0, 2

FAKE 1, 2

RESOURCE CENTER

Log4J Exploit Updates

Explore this page to stay updated on the latest Log4j exploit developments, access critical fixes, and empower yourself with the knowledge to protect your digital assets.

Log4J Overview

Log4J Percent Monthly Central Downloads

Free Tools to Help You Now

Product a Software Bill of Materials and catalog all of the components in your application.

Detect publicly disclosed vulnerabilities contained within your project's dependencies.

Sonatype Documentation & Research

RESOURCE CENTER

Log4J Exploit Updates

Explore this page to stay updated on the latest Log4j exploit developments, access critical fixes, and empower yourself with the knowledge to protect your digital assets.

Log4J Overview

Log4J Percent Monthly Central Downloads

Latest Insights

FTC warning in wake of Log4j: Secure your software supply chain

Protecting Your Development Environment: Lessons from Log4j and Beyond

What is the Log4j exploit?

How Large Organizations Can Easily Scan for Log4j Vulnerabilities

Log4j Exploits Are Now Being Used to Spread Dridex Banking Trojan

How Much Should the Federal Government Worry about Log4j?

Free Tools to Help You Now

Product a Software Bill of Materials and catalog all of the components in your application.

Detect publicly disclosed vulnerabilities contained within your project's dependencies.

Sonatype Documentation & Research