Total downloads since December 10
Most recent ratio of vulnerable downloads
Total downloads since December 10
Most recent ratio of vulnerable downloads
1/6/22:
On Tuesday we saw a huge jump in consumption of 2.17.0 followed yesterday by a similar jump in 2.17.1. It's hard to explain this since .1 has been out for well over a week at this point. Why was everyone suddenly grabbing the .0 when .1 was available?
Taiwan and China are still consuming a massive amount of known vulnerable versions, and as can be seen on the bottom left graph, this has been fairly consistent since the start.
--Brian
1/6/22:
On Tuesday we saw a huge jump in consumption of 2.17.0 followed yesterday by a similar jump in 2.17.1. It's hard to explain this since .1 has been out for well over a week at this point. Why was everyone suddenly grabbing the .0 when .1 was available?
Taiwan and China are still consuming a massive amount of known vulnerable versions, and as can be seen on the bottom left graph, this has been fairly consistent since the start.
--Brian
Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.
Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.
Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads.
Produce a Software Bill of Materials and catalog all of the components in your application.
Find and fix critical security, performance, reliability, and style issues in developer code.
Detect publicly disclosed vulnerabilities contained within your project’s dependencies
Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591
DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591
Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.
Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.
Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102
Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia
London Office -168 Shoreditch High Street, E1 6HU London
Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners.
Terms of Service Privacy Policy Modern Slavery Statement Event Terms and Conditions Do Not Sell My Personal Information