Log4j exploit
updates
As the stewards of Maven Central, our teams are
working around the clock to ensure that the world
has reliable and fast access to the lastest Log4shell fixes.
working around the clock to ensure that the world
has reliable and fast access to the lastest Log4shell fixes.
Log4j download dashboard

Insights for innovators

BLOG POST
FTC Warning in Wake of Log4j: Secure Your Software Supply Chain
Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.

WEBINAR
Log4j Exploit Explained - Everything You Need to Know to Protect Yourself
Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.

MEDIA HIT
Critical Log4j Vulnerability Still Being Downloaded 40% of the Time
Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads.
Free tools to help you now

OSS Index
Detect publicly disclosed vulnerabilities contained within your project’s dependencies
“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem.”
Brian Fox
SONATYPE CTO IN THE DAILY SWING
Sonatype updates






VIDEO
Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass


Have questions about Log4j?
Sonatype documentation & research
CRITICAL
CVE-2021-44228
Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
MODERATE
CVE-2021-4104
Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
HIGH
CVE-2021-45046
DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
MODERATE
SONATYPE-2021-4517 AKA CVE-2021-42550
Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue.
HIGH
SONATYPE-2021-4560
Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.
"This is akin to someone figuring out mailing a letter into your post box with a specific address written on it allows them to open all your doors in your house.”
Brian Fox
Sonatype CTO in BBC