The Log4j open source component has been downloaded nearly five million times since a critical vulnerability was first discovered in it on December 10th. However, 40% of those downloads are still of the known critically vulnerable versions, according to new data released by Sonatype, a software supply chain automation conmpany.
Sonatype said it has the ability to analyse patterns and practices relating to the consumption and utilisation of millions of open source libraries, including Log4j.
Consumption data relating to Log4j has been compiled into a new Log4j Vulnerability Resource Center, a tool to track and publicise the latest findings and exploit updates around the vulnerability.
Sonatype experts update the resource center multiple times each day to reveal how the attack is quickly mutating to infiltrate new corners of open source projects.
The report highlights, that percent “positivity rate” of vulnerable downloads versus safe downloads, showcasing how the problem is or isn’t improving.
“Log4j is one of most popular Java projects across Maven Central and is the standard logging framework of choice for most other Java open source components, found in 7,000 projects,” said Brian Fox, co-founder and CTO of Sonatype. “The good news is we have seen very rapid adoption of upgraded versions in most of the world. However, the data indicates this adoption is both not globally consistent, and not complete, leaving 40% of the ongoing downloads occurring on vulnerable versions, with some parts of the world still grabbing vulnerable versions up to 80% of the time.”
Sonatype has shared a number of free resources for the community, including the ability to easily scan applications for the Log4Shell vulnerability for free, whether you’re an open source project maintainer, developer, or security professional.
The company has open sourced its long-standing enterprise-grade Nexus Intelligence data for the Log4Shell vulnerability, accessible in free online intelligence platform OSS Index, its code analysis platform Sonatype Lift (free for open source projects), and third party tools that use OSS Index data, like OWASP Dependency Check.
Open source maintainers using the Central Repository can also generate a software bill of materials (SBOM) for all the releases they make available there.
The company said it offers an always free vulnerability scanner that can be downloaded or used online. Not only will it alert you to all direct vulnerable versions of Log4j in your repositories but Sonatype employs secondary expansion technology, to find those transitive dependencies. It also goes beyond scanning manifests, utilising a patented Advanced Binary Fingerprinting to identify what’s actually in components, including partially modified instances of those components.