Security News > 2021 > December > Java Code Repository Riddled with Hidden Log4j Bugs; Here’s Where to Look
There's an enormous amount of software vulnerable to the Log4j bug through Java software supply chains - and administrators and security pros likely don't even know where to look for it.
About 17,000 Java packages in the Maven Central repository, the most significant collection of Java packages available to developers, are vulnerable to Log4j - and it will likely take "Years" for it to be fixed across the ecosystem, according to Google security.
Following the CVE update that just Log4j-core was affected, eliminating vulnerable instances of the Log4j-api, Google Security determined that as of Dec. 19, more than 17,000 packages in Maven Central were vulnerable, about 4 percent of the entire repository.
"The majority of affected artifacts come from indirect dependencies, meaning Log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency," the Google team said.
Adding another degree of difficulty to ferreting out the Log4j bugs is Java's "Soft" version requirements, according to Google.
To help out, Google has pulled together a list of the 500 most-used and impacted Java code packages.