Google unable to determine the radius of Internet bugs
As the world scrambles to plug serious security bugs that can derail the Internet for millions, Google has said that more than 35,000 Java packages, amounting to over 8 per cent of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed vulnerabilities with widespread fallout across the software industry.
Cyber criminals are making thousands of attempts to exploit a second vulnerability involving a Java logging system called ‘Apache log4j2’. According to Google, this vulnerability has captivated the information security ecosystem since its disclosure on December 9 because of both its severity and widespread impact.
“As a popular logging tool, ‘log4j’ is used by tens of thousands of software packages (known as ‘artifacts’ in the Java ecosystem) and projects across the software industry,” Google said in a blog post. User's lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it “difficult to determine the full blast radius of this vulnerability”. As of December 16, Google found that 35,863 of the available Java ‘artifacts’ from Maven Central depend on the affected log4j code.
This means that more than 8 per cent of all packages on Maven Central have at least one version that is impacted by this vulnerability. “As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” said Google. So far, nearly 5,000 ‘artifacts’ have been patched, leaving more than 30,000 more.
Meanwhile, Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out last week. On Friday, security researchers tweeted about potential issues with 2.16.0, with some identifying the “denial of service vulnerability”. Cybersecurity firms have found that major ransomware groups like Conti are exploring ways to take advantage of the vulnerability.
—IANS