Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2667" data-attributes="member: 3"><p><h3><span style="color: rgb(0, 168, 133)">Severity: Low TLP: Green</span> Four Million Outdated log4j Downloads Were Served from Apache Maven Central</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> </ol><p><strong>Four Million Outdated log4j Downloads Were Served from Apache Maven Central Alone despite Vuln Publicity Blitz</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.</p><p></p><p>That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.</p><p></p><p><strong>Analyst Comments:</strong></p><p>Sonatype's field CTO Ilkka Turunen told The Register the number of downloads of pre-2.15 versions of Log4j from the Maven central repository was oddly high. Around 40 per cent of downloads initiated from the UK alone over the past couple of days were of outdated versions.</p><p></p><p>"Now, it's not entirely clear to us whether or not it's legacy software, whether or not it is testing versions, and things like this, but what it seems to suggest is that there is a population of users that are downloading it," Turunen told The Register, adding that these people are probably "completely unaware" that their version is outdated.</p><p></p><p><strong>Mitigation:</strong></p><p>Interestingly enough, Sonatype said about 42 per cent of total downloads of Log4j over the weekend were of the very latest versions, 2.17 and 2.17.1 – the main Log4shell vulnerabilities were addressed by 2.16 – which suggests that at least some organisations are not just installing the patched versions of 2.15 or 2.16 but picking up the very latest.</p><p></p><p>As for the cause of the outdated downloads, "There's this sort of long tail of software where it's still being built... not necessarily as a direct dependency."</p><p></p><p><strong>Source:</strong></p><p><a href="https://www.theregister.com/2022/01/11/outdated_log4j_downloads/" target="_blank">https://www.theregister.com/2022/01/11/outdated_log4j_downloads/</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2667, member: 3"] [HEADING=2][COLOR=rgb(0, 168, 133)]Severity: Low TLP: Green[/COLOR] Four Million Outdated log4j Downloads Were Served from Apache Maven Central[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [/LIST] [B]Four Million Outdated log4j Downloads Were Served from Apache Maven Central Alone despite Vuln Publicity Blitz Summary:[/B] There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks. [B]Analyst Comments:[/B] Sonatype's field CTO Ilkka Turunen told The Register the number of downloads of pre-2.15 versions of Log4j from the Maven central repository was oddly high. Around 40 per cent of downloads initiated from the UK alone over the past couple of days were of outdated versions. "Now, it's not entirely clear to us whether or not it's legacy software, whether or not it is testing versions, and things like this, but what it seems to suggest is that there is a population of users that are downloading it," Turunen told The Register, adding that these people are probably "completely unaware" that their version is outdated. [B]Mitigation:[/B] Interestingly enough, Sonatype said about 42 per cent of total downloads of Log4j over the weekend were of the very latest versions, 2.17 and 2.17.1 – the main Log4shell vulnerabilities were addressed by 2.16 – which suggests that at least some organisations are not just installing the patched versions of 2.15 or 2.16 but picking up the very latest. As for the cause of the outdated downloads, "There's this sort of long tail of software where it's still being built... not necessarily as a direct dependency." [B]Source:[/B] [URL]https://www.theregister.com/2022/01/11/outdated_log4j_downloads/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu