Total downloads since December 10
Most recent ratio of vulnerable downloads
Total downloads since December 10
Most recent ratio of vulnerable downloads
1/6/22:
On Tuesday we saw a huge jump in consumption of 2.17.0 followed yesterday by a similar jump in 2.17.1. It's hard to explain this since .1 has been out for well over a week at this point. Why was everyone suddenly grabbing the .0 when .1 was available?
Taiwan and China are still consuming a massive amount of known vulnerable versions, and as can be seen on the bottom left graph, this has been fairly consistent since the start.
--Brian
1/6/22:
On Tuesday we saw a huge jump in consumption of 2.17.0 followed yesterday by a similar jump in 2.17.1. It's hard to explain this since .1 has been out for well over a week at this point. Why was everyone suddenly grabbing the .0 when .1 was available?
Taiwan and China are still consuming a massive amount of known vulnerable versions, and as can be seen on the bottom left graph, this has been fairly consistent since the start.
--Brian
Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.
Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.
Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads.
Produce a Software Bill of Materials and catalog all of the components in your application.
Find and fix critical security, performance, reliability, and style issues in developer code.
Detect publicly disclosed vulnerabilities contained within your project’s dependencies
Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591
DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591
Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.
Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.