Number of vulnerable Log4j downloads remains high one year on
This week marks the first anniversary of the Log4j/Log4Shell vulnerability affecting the Java logging library and as we noted recently many organizations are still vulnerable even though patched versions were quickly available.
Sonatype has produced a resource center to show the current state of the vulnerability, along with a tool to help businesses scan their open source code to see if it's affected.
The dashboard shows the percentage of Log4j downloads that remain vulnerable -- currently running at around 34 percent since last December -- it also shows the parts of the world that have seen the highest percentage of vulnerable downloads.
Brian Fox, CTO of Sonatype says:
Log4j was a stark reminder of the critical importance of securing the software supply chain. It was used in virtually every modern application and affected organizations' services across the globe. One year on from the Log4Shell incident, the situation remains grim. According to our data, 30-40 percent of all Log4j downloads are of the vulnerable version, despite that a fix was released within 24 hours of the vulnerability's premature disclosure.
It's imperative that organizations recognize most of the risk involved with open source lies with consumers, who must employ best practice instead of blaming flawed code. Log4j is not an isolated incident -- 96 percent of vulnerable downloads of open source components had a fixed version available.
Organizations need better visibility of every component being used in their software supply chains. This is why quality software composition analysis solutions are so important today as the world contemplates how SBOMs will help in the future. UK and European policy on software should require commercial consumers of open source to be able to do the equivalent of a targeted recall, just as we expect from physical goods manufacturers like the auto industry. Across-the-board visibility will confer additional benefits for organizations like the ability to make portfolio-wide decisions to invest or divest in certain technologies, and to reduce the potential scope of impact.
You can visit Sonatype's vulnerability resource center here.