New research has revealed that nearly half of all Log4j downloads since the discovery of the Log4Shell vulnerability remain critically vulnerable, one month after the initial disclosure.
As of Sunday, 43% of all Log4j downloads were "coming from critically vulnerable versions", according to security researchers at Sonatype, and a little more than 44% of the downloads in the UK are thought to be exposed to the vulnerability during the same timeframe.
Since 10 December 2021 when Log4Shell was first disclosed, Log4j has been downloaded more than 10 million times. Nearly half of all of these were of unsafe versions, despite fully patched and secure versions being available at the time, Sonatype said.
'Vulnerable downloads' refers to any download of Log4j that was made from 10 December onwards and was vulnerable to Log4Shell at the time. The downloads monitored by the researchers were from The Central Repository which Sonatype describes as "the de-facto download location for dependencies for most Java programming languages" and had a total volume of more than 457 trillion downloads in 2021.
Asked why there were so many vulnerable downloads made despite safe versions being available, Ilkka Turunen, field CTO at Sonatype, said it mainly comes down to teams maintaining legacy infrastructure.