aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Software
  • Solutions

Critical Log4j Vulnerability Still Being Downloaded 40% Of The Time, Sonatype Research Reveals In New Resource Center

  • aster.cloud
  • December 25, 2021
  • 3 minute read

The Log4j open source component has been downloaded nearly five million times since a critical vulnerability was first discovered in it on December 10th. However, 40% of those downloads are still of the known critically vulnerable versions, according to new data released by Sonatype, the pioneer in intelligent and secure software supply chain automation.

As stewards of the Central Repository, the largest public repository of open source Java components, Sonatype has the unique ability to analyze patterns and practices relating to the consumption and utilization of millions of open source libraries, including Log4j.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

Consumption data relating to Log4j has been compiled into a new Log4j Vulnerability Resource Center, a tool to track and publicise the latest findings and exploit updates around the vulnerability. Sonatype experts update the resource center multiple times each day to reveal how the attack is quickly mutating to infiltrate new corners of open source projects.

Data highlights include:

  • Percent “positivity rate” of vulnerable downloads versus safe downloads, showcasing how the problem is or isn’t improving
  • Hourly captures of download volumes of specific Log4j versions
  • Hourly updates on download percentages per version
  • Percent of vulnerable and non-vulnerable downloads by country since the vulnerability was discovered

“Log4j is one of most popular Java projects across Maven Central and is the standard logging framework of choice for most other Java open source components, found in 7,000 projects,” said Brian Fox, co-founder and CTO of Sonatype. “The good news is we have seen very rapid adoption of upgraded versions in most of the world. However, the data indicates this adoption is both not globally consistent, and not complete, leaving 40% of the ongoing downloads occurring on vulnerable versions, with some parts of the world still grabbing vulnerable versions up to 80% of the time.”

Read More  Twiga Foods Taps Google Cloud To Improve Food Security And Reduce Waste Production In Kenya

Free Resources to Stop the Spread of Log4Shell

Sonatype has shared a number of free resources for the community, including the ability to easily scan applications for the Log4Shell vulnerability for free, whether you’re an open source project maintainer,  developer, or security professional.

The company has open sourced its long-standing enterprise-grade Nexus Intelligence data for the Log4Shell vulnerability, accessible in Sonatype’s free online intelligence platform OSS Index ,its code analysis platform Sonatype Lift (free for open source projects), and third party tools that use OSS Index data, like OWASP Dependency Check. Open-source maintainers using the Central Repository can also generate a software bill of materials (SBOM) for all the releases they make available there.

Lastly, Sonatype offers an always free vulnerability scanner you can download or use online. Not only will it alert you to all direct vulnerable versions of Log4j in your repositories but Sonatype employs secondary expansion technology, to find those transitive dependencies. It also goes beyond scanning manifests, utilizing a patented Advanced Binary Fingerprinting to identify what’s actually in components, including partially modified instances of those components.

“Our priority is helping our community of open source users secure their tools and make software supply chains safer, period. As managers of the Central Repository, Sonatype has long made scanning and analysis tools available for free to the community, and we’re pleased to continue that commitment in our response to this historic vulnerability,” said Fox. “With the combination of transitive dependencies and the number of variants of Log4j vulnerabilities, developers face an incredibly difficult challenge. Helping with remediation efforts is imperative; our team is here for the community.”

Read More  Adaptavist Offers Enterprise DevSecOps Solution With Sonatype Partnership

About Sonatype

Sonatype is the full-spectrum software supply chain automation company. We empower developers and security professionals with intelligent platform tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code, infrastructure as code, and containerized code. We help organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.

Media contacts

Babel PR for Sonatype in the UK

[email protected]

Mission North for Sonatype in the US

[email protected]


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Central Repository
  • Log4j
  • Log4j Vulnerability Resource Center
  • Sonatype
  • Sonatype Lift
You May Also Like
aster-cloud-erp-bill_of_materials_2
View Post
  • Software
  • Software Engineering

What is an SBOM (software bill of materials)?

  • July 2, 2025
aster-cloud-sms-pexels-tim-samuel-6697306
View Post
  • Programming
  • Software

Send SMS texts with Amazon’s SNS simple notification service

  • July 1, 2025
aster-cloud-website-pexels-goumbik-574069
View Post
  • Programming
  • Software

Host a static website on AWS with Amazon S3 and Route 53

  • June 27, 2025
oracle-ibm
View Post
  • Solutions
  • Technology

Google Cloud and Philips Collaborate to Drive Consumer Marketing Innovation and Transform Digital Asset Management with AI

  • May 20, 2025
View Post
  • Software
  • Technology

Canonical Releases Ubuntu 25.04 Plucky Puffin

  • April 17, 2025
View Post
  • Software
  • Technology

IBM Accelerates Momentum in the as a Service Space with Growing Portfolio of Tools Simplifying Infrastructure Management

  • March 27, 2025
Vehicle manufacturing
View Post
  • Software

IBM Study: Vehicles Believed to be Software Defined and AI Powered by 2035

  • December 12, 2024
aster-cloud-tux-gaming
View Post
  • Computing
  • Gears
  • Software

5 best Linux distributions for gamers in 2024

  • September 11, 2024

Stay Connected!
LATEST
  • 1
    Press Start (Or Hit Enter)! Your Go-To Loadout for Streamers and Gamers.
    • July 18, 2025
  • 2
    ESWIN Computing launches the EBC77 Series Single Board Computer with Ubuntu
    • July 17, 2025
  • Beyond replacement: How AI is enhancing PaaS offerings
    • July 16, 2025
  • An Amazon Bedrock tutorial for beginners
    • July 14, 2025
  • How to create an AWS free tier account
    • July 10, 2025
  • How to configure multiple AWS CLI authentication credentials
    • July 10, 2025
  • Create an Amazon EKS cluster and deploy Docker containers
    • July 10, 2025
  • Get to know storage-as-a-service providers and their offerings
    • July 10, 2025
  • 9
    Formula E accelerates its work with Google Cloud Storage and Google Workspace
    • July 9, 2025
  • 10
    Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
    • July 9, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • The cloud’s role in PQC migration
    • July 7, 2025
  • 2
    Hybrid cloud has hit the mainstream – but firms are still confused about costs
    • July 7, 2025
  • What is database as a service (DBaaS)?
    • July 7, 2025
  • 4
    A looming hyperscaler exodus? UK IT leaders are thinking of ditching US cloud providers – here’s why
    • June 26, 2025
  • 5
    Turns out OpenAI is the customer behind Oracle’s mysterious $30 billion cloud deal
    • July 3, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.