![]() ![]() ![]() Open ranges allow the resolution algorithm to select the most recently released version that satisfies dependency requirements, thereby pulling in new fixes. This practice is in contrast to other ecosystems, such as npm, where it’s common for developers to specify open ranges for dependency requirements. Propagating a fix often requires explicit action by the maintainers to update the dependency requirements to a patched version. In the Java ecosystem, it’s common practice to specify “ soft” version requirements - exact versions that are used by the resolution algorithm if no other version of the same package appears earlier in the dependency graph. This exploitable feature was enabled by default in many versions of the library.Īnother difficulty is caused by ecosystem-level choices in the dependency resolution algorithm and requirement specification conventions. ![]() The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities ( 1, 2), with widespread fallout across the software industry. The linked list, which continues to be updated, only includes packages which depend on log4j-core. 25% of affected packages have fixed versions available. The ecosystem impact numbers for just log4j-core, as of 19th December are over 17,000 packages affected, which is roughly 4% of the ecosystem. Since then, the CVE has been updated with the clarification that only log4j-core is affected. The below numbers were calculated based on both log4j-core and log4j-api, as both were listed on the CVE. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |