Security News > 2022 > January > Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.

Tracked as CVE-2021-44228 aka Log4shell, the original vulnerability affected version 2.14 and earlier of the 2.x branch of the Apache logging utility.

Sonatype's field CTO Ilkka Turunen told The Register the number of downloads of pre-2.15 versions of Log4j from the Maven central repository was oddly high.

Around 40 per cent of downloads initiated from the UK alone over the past couple of days were of outdated versions.

Interestingly enough, Sonatype said about 42 per cent of total downloads of Log4j over the weekend were of the very latest versions, 2.17 and 2.17.1 - the main Log4shell vulnerabilities were addressed by 2.16 - which suggests that at least some organisations are not just installing the patched versions of 2.15 or 2.16 but picking up the very latest.

With the US Federal Trade Commission having threatened legal action against American organisations that don't upgrade Log4j to non-exploitable versions, there's little excuse in the English-speaking world for not having noticed the fact that there's something up with Log4j.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/11/outdated_log4j_downloads/