Security News > 2021 > December > The Log4j saga: New vulnerabilities and attack vectors discovered

The Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell was fixed by releasing Log4j v2.15.0.

There is going to be continued focus on log4j vulns for some time.

The CISA has issued on Friday an emergency directive mandating federal civilian executive branch agencies to address Log4j vulnerabilities by December 28, 2021.

As some companies elatedly confirm their products are not affected by the flaws because they don't use the Log4j library, Google has scanned Maven Central, the most significant Java package repository, and found that over 35,000 available Java artifacts depend on the affected log4j code.

"Direct dependencies account for around 7,000 of the affected artifacts, meaning that any of its versions depend upon an affected version of log4j-core or log4j-api, as described in the CVEs. The majority of affected artifacts come from indirect dependencies, meaning log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency," James Wetter and Nicky Ringland of Google's Open Source Insights Team explained.

"At the time of writing, nearly five thousand of the affected artifacts have been fixed. This represents a rapid response and mammoth effort both by the log4j maintainers and the wider community of open source consumers. That leaves over 30,000 artifacts affected, many of which are dependent on another artifact to patch and are likely blocked."

News URL

https://www.helpnetsecurity.com/2021/12/20/log4j-attack-vectors/