Google’s open-source team said they scanned Maven Central, largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library.
This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046).
Log4Shell patching process hits first snags
But since the vulnerability was disclosed last week,and the community has already fixed 4,620 of the 35,863 packages they initially found vulnerable, accounts to 13% of all the vulnerable packages.
The main reason for this is because Log4j isn’t always included as a direct dependency inside Java packages but is also a dependency of another dependency, also known as indirect dependency.
Log4j is a direct dependency in only 7,000 packages of the total 35,000 libraries, and many Java developers will most likely have to switch out indirect dependencies that haven’t been updated with safe alternatives. Currently, a Java package is considered safe if it uses Log4j v2.16.0.
But as per the latest report Apache has released a updated statement stating Log4j v2.17.0 is safe. This issue seems to be prolonging for months