More than 80% of Java packages affected by the vulnerability in the Apache Log4j library cannot be updated directly, and will require coordination between different project teams to address the flaw.
Shortly after the first vulnerability in the Apache Log4j library (CVE-2021-44228) was disclosed, Google’s Open Source Insights Team surveyed all the Java packages in the Maven Central Repository “to determine the scope of the issue in the open source ecosystem of JVM based languages, and to track the ongoing efforts to mitigate the affected packages,” say team members James Wetter and Nicky Ringland. The team estimates it could take years before the vulnerability is fully addressed within the Java ecosystem.
A significant part of the problem has to do with indirect dependencies. Direct dependencies, or the cases where package explicitly pulls log4j into the code, are relatively straightforward to fix, as the developer or project owner just has to update log4j to the latest version.
Many packages pull in some other library which calls log4j, which is an indirect dependency. In that case, the package owner has to wait for the maintainer of that library to update log4j in the library code and release an updated version, which will then be used to update the package.
“The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed,” Wetter and Ringland note.
With approximately 440,000 Java packages, Maven Central is the largest and most significant package repository for Java applications, and provides an accurate assessment of the ecosystem, say Wetter and Ringland. The team found 35,863 Java packages using vulnerable versions of log4j (log4j-core and log4j-api), or roughly 8% of Java packages in Maven Central. When the team re-ran the scan to look at only packages using log4j-core, over 17,000 affected packages were found, or roughly 4% of the ecosystem.
Consider that whenever a major Java security flaw is found, it typically affects only 2% of the packages on Maven Central. The impact the Log4j flaw will have on the Java ecosystem is “enormous,” say Wetter and Ringland.
Thousands of package have already been fixed — “a rapid response and mammoth effort both by the log4j maintainers and the wider community of open source consumers,” note Wetter and Ringland.