While the recently detected Log4Shell vulnerability in open-source logging software Apache Log4J has hit around 35,000 Java packages, which pertains to 8% of the company’s Maven Central repository, Google has said that it would be difficult to determine the full blast radius of the attack.
According to a report by cybersecurity firm Check Point Research, last week, 41% of corporate networks in India have already faced an attempted exploit. It further said that the most impacted region was Australia-New Zealand, with about 46% of corporate networks facing an attempt.
The vulnerabilities will allow for an attacker to execute code remotely. Log4j is currently being used by thousands of software packages which are referred to as artifacts in the Java Ecosystem.
The flaw in the logging library is being used by Apple, Google and Microsoft, among others.
“As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” said James Wetter and Nicky Ringland, of the Google Open-Source Insights Team in a blogpost.
Google said that about 5,000 of the affected artifacts have been fixed, which now leaves about over 30,000 artifacts that are affected. But these probably are dependent on another artefact to patch and hence are most likely blocked.
However, Google said that fixing the JVM ecosystem would be tough because most artifacts that depend on Log4j do so indirectly, with some requiring multiple steps to be fixed.
“For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down),” the blog post said.
Google requested the open-source community to strengthen security by enabling automated dependency updates, along with adding security mitigations.