Over 40% of Log4j Downloads Are Vulnerable Versions of the Software

Despite being issued a fix for the Log4j vulnerability, over 40% of the downloads from Maven Central Java package repository are still known to be vulnerable versions. Among the 31.4 million Log4j downloads since December 2021, more than 10 million could be vulnerable. Reasons for this include automated build systems downloading specific versions, integral parts of Java applications being hard to detect and upgrade, and a lack of software supply chain management at many organisations.