Log4j Exploit Updates

As the stewards of Maven Central, our teams are working around the clock to ensure that the world has reliable and fast access to the latest Log4shell fixes.

Log4j Vulnerable Downloads Dashboard

Log4j_Public_2021-12-18T0052 2

Latest Insights

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.

Log4j Video Preview 2

Log4j Exploit Explained - Everything You Need to Know to Protect Yourself

Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.

image3-3

Critical Log4j Vulnerability Still Being Downloaded 40% of the Time

Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads. 

Free Tools to Help You Now

Vulnerability- Scanner-icon-only-White + Color

Nexus Vulnerability Scanner

Produce a Software Bill of Materials and catalog all of the components in your application.

Lift-logo-icon-only-white

Sonatype Lift

Find and fix critical security, performance, reliability, and style issues in developer code.

OWASP-icon

OSS Index

Detect publicly disclosed vulnerabilities contained within your project’s dependencies

“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem.”

—Brian Fox, Sonatype CTO in The Daily Swig

Sonatype Updates

Critical New 0-day Vulnerability in Popular Log4j Library Discovered

BLOG

Critical New 0-day Vulnerability in Popular Log4j Library Discovered 

Log4Shell Help for Central Publishers

ARTICLE

Log4Shell Help for Central Publishers

Helping The Open Source Community Find, Fix, and Remediate Log4j

BLOG

Helping The Open Source Community Find, Fix, and Remediate Log4j

Dissecting the Log4j Vulnerability

VIDEO

Dissecting the Log4j Vulnerability

All Log4j, logback bugs we know so far and why you MUST ditch 2.15

ARTICLE

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

Video

Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

Sonatype Log4j Community Forum

FORUM

Sonatype Log4j Community Forum

Find and Fix Log4j with Sonatype

VIDEO

Find and Fix Log4j with Sonatype

Have questions about Log4j? Ask the Sonatype community.

Have questions about Log4j? Ask the Sonatype community.

Sonatype Documentation & Research

CVE-2021-44228 (Critical):

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

CVE-2021-4104 (Moderate):

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).

CVE-2021-44228 (Critical):

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

CVE-2021-4104 (Moderate):

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).

CVE-2021-45046 (HIGH):

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0. 

Sonatype-2021-4517 aka CVE-2021-42550 (Moderate):

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591 

CVE-2021-45046 (HIGH):

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0. 

Sonatype-2021-4517 aka CVE-2021-42550 (Moderate):

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591 

Sonatype-2021-4560 (High):

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.

Sonatype-2021-4560 (High):

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.

“This is akin to someone figuring out mailing a letter into your post box with a specific address written on it allows them to open all your doors in your house.”

—Brian Fox, Sonatype CTO in BBC

Resources from around the Software Community

The Log4shell CVE from Mitre
Apache Foundation’s Log4j page with details
The Log4shell CVE from Mitre
Apache Foundation’s Log4j page with details
List of Affected Software compiled by Netherlands National Cybersecurity Center
Gartner Article for security leaders
List of Affected Software compiled by Netherlands National Cybersecurity Center
Gartner Article for security leaders