Open source software is everywhere now, but the Log4j flaw that affects Java enterprise applications is a reminder of what can go wrong in the complicated modern software supply chain.
The challenge with the Log4j flaw (also known as Log4Shell) is not only that admins need to patch the flaw — which got a ‘critical’ rating of 10 out of 10 — but that IT folk can’t easily discover whether a product or system is affected by the vulnerability in the component.
Google has calculated that approximately 17,000 Java packages in the Maven Central repository – the most significant Java package repository – were found to contain the vulnerable log4j-core library as a direct or transitive dependency.
And now security firm JFrog has found more by identifying additional packages containing the Log4j vulnerability that would not be detected through dependency scanning — that is, packages containing vulnerable Log4j code within the artefact itself.
It found that overall, direct inclusion of Log4j code in artefacts is not as common as the use of Log4j through dependencies. However, it still adds up to hundreds of packages – around 400 – which directly include Log4j code, opening these packages to