Difficult to determine full blast radius of Internet bugs: Google

New Delhi: As the world scrambles to plug serious security bugs that can derail the Internet for millions, Google has said that more than 35,000 Java packages, amounting to over 8 per cent of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed vulnerabilities with widespread fallout […]

New Delhi: As the world scrambles to plug serious security bugs that can derail the Internet for millions, Google has said that more than 35,000 Java packages, amounting to over 8 per cent of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed vulnerabilities with widespread fallout across the software industry.

Cyber criminals are making thousands of attempts to exploit a second vulnerability involving a Java logging system called ‘Apache log4j2’.

---

According to Google, this vulnerability has captivated the information security ecosystem since its disclosure on December 9 because of both its severity and widespread impact.
“As a popular logging tool, ‘log4j’ is used by tens of thousands of software packages (known as ‘artifacts’ in the Java ecosystem) and projects across the software industry,” Google said in a blog post.

User’s lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it “difficult to determine the full blast radius of this vulnerability”.

As of December 16, Google found that 35,863 of the available Java ‘artifacts’ from Maven Central depend on the affected log4j code.
This means that more than 8 per cent of all packages on Maven Central have at least one version that is impacted by this vulnerability.

“As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” said Google.
So far, nearly 5,000 ‘artifacts’ have been patched, leaving more than 30,000 more.
Meanwhile, Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out last week.

On Friday, security researchers tweeted about potential issues with 2.16.0, with some identifying the “denial of service vulnerability”.

Cybersecurity firms have found that major ransomware groups like Conti are exploring ways to take advantage of the vulnerability.

They warned that hackers were making over 100 attempts every minute to exploit a critical security vulnerability in the widely-used Java logging system called ‘Apache log4j2’, leaving millions of companies globally at cyber theft risk.

Several popular services, including Apple iCloud, Amazon, Twitter, Cloudflare and Minecraft, are vulnerable to this ‘ubiquitous’ zero-day exploit, now dubbed as one of the most serious vulnerabilities on the Internet in recent years.

‘Apache Log4j’ is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services.