Google: Tech giant Google has said that over 35,000 Java packages have been affected by vulnerabilities that have been recently disclosed with widespread fallout in the software industry. The affected Java packages make more than 8% of the Maven Central repository, which is the most significant repository of Java packages. According to the search engine giant, thousands of attempts are being made by cybercriminals to exploit another vulnerability that involves ‘Apache log4j 2’, the Java logging system.
Google has said that ever since this vulnerability was disclosed on December 9, the information security ecosystem has been captivated by it because this matter is both severe and has a widespread impact.
Why is the matter severe?
Google has said in a statement that log4j is a popular logging tool and is used by “tens of thousands of software packages”, which are called artifacts in Java ecosystem, as well as numerous projects in the software industry.
Patching has been made difficult due to the fact that there is a lack of visibility for users into their dependencies as well as transitive dependencies. Due to this, it has also become difficult to figure out the complete “radius of the vulnerability”.
Google found that a whopping 35,863 Java artifacts from the Maven Central repository were dependent on the impacted log4j code as of December 16. This translates to over 8% of all packages on Maven Central having at least one version affected by this security issue.
Till now, about 5,000 artifacts have been patches, which leaves more than 30,000 to be fixed.
At the same time, Apache has released Log4j version 2.17.0, which came after it found issues in the previous version. The previous version had been released last week.