:
Skip Navigation

Log4j exploit updates

At the heart of the digital landscape, security is paramount. In the wake of the Log4j exploit, our commitment to safeguarding the online world has never been stronger. As the stewards of Maven Central, our teams are working around the clock to ensure that the world has reliable and fast access to the latest Log4shell fixes.

In this digital age where data breaches, vulnerabilities, and malware are a fairly common occurrence, our mission is clear: to provide you with the tools and information needed to fortify your digital defenses. Explore this page to stay updated on the latest Log4j exploit developments, access critical fixes, and empower yourself with the knowledge to protect your digital assets.

Log4J Percent Monthly Central Downloads

Downloads of vulnerable versions of Log4J still greater than 10% nearly three years after fixes were available.

img-fig_3.1-UPDATED

Dive into more Log4J insights and trends in the 2024 State of the Software Supply Chain Report.

 

Insights for innovators

 

Free tools to help you now

Vulnerability- Scanner-icon-only-White + Color

Sonatype Vulnerability Scanner

Produce a Software Bill of Materials and catalog all of the components in your application.

OWASP-icon

OSS Index

Detect publicly disclosed vulnerabilities contained within your project’s dependencies

“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem.”
Brian Fox
SONATYPE CTO IN THE DAILY SWING
 

Sonatype updates

Have questions about Log4j?

Sonatype documentation & research

CRITICAL

CVE-2021-44228

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
MODERATE

CVE-2021-4104

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
HIGH

CVE-2021-45046

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
MODERATE

SONATYPE-2021-4517 AKA CVE-2021-42550

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue.
HIGH

SONATYPE-2021-4560

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.
"This is akin to someone figuring out mailing a letter into your post box with a specific address written on it allows them to open all your doors in your house.”
Brian Fox
Sonatype CTO in BBC
 

Resources from around the software community