About 17,000 Java packages in the Maven Central repository, the most significant collection of Java packages available to developers were found to be vulnerable to Log4j.
According to google security, it will likely take “years” for it to be fixed across the ecosystem. Following the CVE update that just Log4j-core was affected, eliminating vulnerable instances of the Log4j-api, Google Security determined that as of Dec. 19, more than 17,000 packages in Maven Central were vulnerable, about 4 percent of the entire repository. Of those, just 25 percent of the packages had updated versions available.
For comparison, the Google researchers explained in a Tuesday blog post that the average bug affects between 2 percent and less than .01 percent of such packages.
Read More: Threatpost
For more such updates follow us on Google News ITsecuritywire News