The Log4j Flaw Will Take Years to Be Fully Addressed

Over 80% of Java packages impacted by the Apache Log4j vulnerability cannot be updated directly, complicating mitigation efforts. Project teams need to coordinate to fix the flaw, which could take years due to indirect dependencies. Google’s Open Source Insights Team discovered around 8% of Java packages in the Maven Central Repository, the largest Java package repository, use the vulnerable Log4j versions, indicating a potentially significant impact on the entire ecosystem.