As the world scrambles to patch serious security flaws that could bring the Internet to a halt for millions, Google stated that the recently disclosed vulnerabilities have impacted over 35,000 Java packages, accounting for over 8% of the Maven Central repository (the most significant Java package repository), with widespread ramifications across the software industry.
Thousands of attempts are being made to exploit a second vulnerability involving the Java logging system ‘Apache log4j2’.
Since its disclosure on December 9, this vulnerability has fascinated the information security ecosystem due to its severity and global impact, according to Google.
Google said in a blog post “As a popular logging tool, ‘log4j’ is used by tens of thousands of software packages (known as ‘artifacts’ in the Java ecosystem) and projects across the software industry,”
Patching has been challenging due to users’ lack of visibility into their dependencies and transitive dependencies; it has also made it “difficult to determine the full blast radius of this vulnerability”.
As of December 16, Google discovered that the 35,863 of the accessible Java ‘artefacts’ from Maven Central rely on the affected log4j code.
This implies that more than 8% of all packages on Maven Central have at least one version that is impacted by this security flaw.
Google said “As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,”
Nearly 5,000 ‘artefacts’ have been patched thus far, with over 30,000 more to go.
Meanwhile, Apache has released version 2.17.0 of the Log4j patch after detecting issues with the previous release, which was issued last week.
On Friday, security researchers tweeted about 2.16.0’s potential flaws, with some pointing to “denial of service vulnerability”.
Cybersecurity firms have discovered that major ransomware groups such as Conti are looking into exploiting the security flaw.
Security researchers cautioned that hackers were attempting over 100 times per minute to exploit a critical security flaw in the widely used Java logging system known as ‘Apache log4j2,’ putting millions of organizations at risk of cyber theft.
This ‘ubiquitous’ zero-day exploit, currently regarded as one of the most critical vulnerabilities on the Internet in recent years, affects a number of popular services, including Apple iCloud, Amazon, Twitter, Cloudflare and Minecraft.
Many forms of enterprise and open-source software, including cloud platforms, web applications, and email services, employ ‘Apache Log4j.’