The Log4j open source component has been downloaded nearly five million times since a critical vulnerability was first discovered in it on December 10th. However, 40% of those downloads are still of the known critically vulnerable versions, according to new data released by Sonatype, the pioneer in intelligent and secure software supply chain automation.
As stewards of the Central Repository, the largest public repository of open source Java components, Sonatype has the unique ability to analyze patterns and practices relating to the consumption and utilization of millions of open source libraries, including Log4j.
Consumption data relating to Log4j has been compiled into a new Log4j Vulnerability Resource Center, a tool to track and publicise the latest findings and exploit updates around the vulnerability. Sonatype experts update the resource center multiple times each day to reveal how the attack is quickly mutating to infiltrate new corners of open source projects.
Data highlights include:
- Percent “positivity rate” of vulnerable downloads versus safe downloads, showcasing how the problem is or isn’t improving
- Hourly captures of download volumes of specific Log4j versions
- Hourly updates on download percentages per version
- Percent of vulnerable and non-vulnerable downloads by country since the vulnerability was discovered
“Log4j is one of most popular Java projects across Maven Central and is the standard logging framework of choice for most other Java open source components, found in 7,000 projects,” said Brian Fox, co-founder and CTO of Sonatype. “The good news is we have seen very rapid adoption of upgraded versions in most of the world. However, the data indicates this adoption is both not globally consistent, and not complete, leaving 40% of the ongoing downloads occurring on vulnerable versions, with some parts of the world still grabbing vulnerable versions up to 80% of the time.”
Free Resources to Stop the Spread of Log4Shell
Sonatype has shared a number of free resources for the community, including the ability to easily scan applications for the Log4Shell vulnerability for free, whether you’re an open source project maintainer, developer, or security professional.
The company has open sourced its long-standing enterprise-grade Nexus Intelligence data for the Log4Shell vulnerability, accessible in Sonatype’s free online intelligence platform OSS Index ,its code analysis platform Sonatype Lift (free for open source projects), and third party tools that use OSS Index data, like OWASP Dependency Check. Open-source maintainers using the Central Repository can also generate a software bill of materials (SBOM) for all the releases they make available there.
Lastly, Sonatype offers an always free vulnerability scanner you can download or use online. Not only will it alert you to all direct vulnerable versions of Log4j in your repositories but Sonatype employs secondary expansion technology, to find those transitive dependencies. It also goes beyond scanning manifests, utilizing a patented Advanced Binary Fingerprinting to identify what’s actually in components, including partially modified instances of those components.
“Our priority is helping our community of open source users secure their tools and make software supply chains safer, period. As managers of the Central Repository, Sonatype has long made scanning and analysis tools available for free to the community, and we’re pleased to continue that commitment in our response to this historic vulnerability,” said Fox. “With the combination of transitive dependencies and the number of variants of Log4j vulnerabilities, developers face an incredibly difficult challenge. Helping with remediation efforts is imperative; our team is here for the community.”
Sonatype is the full-spectrum software supply chain automation company. We empower developers and security professionals with intelligent platform tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code, infrastructure as code, and containerized code. We help organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.
Babel PR for Sonatype in the UK
Mission North for Sonatype in the US