Is log4j vulnerability still widespread?

Log4j “ Nuclear grade ” Loophole Log4Shell May affect the world forever .

Department of homeland security (DHS) Network Security Review Committee (CSRB) Recently released for last year Log4Shell Vulnerability Investigation Report ：

https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf

CSRB This year 2 The month is only by DHS Established institution , Responsibility is to investigate major network security incidents , And provide a report containing recommendations to improve National Cybersecurity .CSRB The first incident investigated was last year Log4j Explosive “ Nuclear grade ” Loophole .

According to the report , Although there is no indication that due to Log4j Vulnerabilities and major network attacks , But it will still be “ Be used in the next few years ”. Deputy Secretary of Homeland Security Rob Silvers Also said ：“Log4j Vulnerability is one of the most serious software vulnerabilities in history .”

CSRB The board mentioned , It's amazing ,Log4j The degree of vulnerability utilization is lower than experts' expectation . They also said , At present, there is no significant... For key infrastructure systems Log4j attack , But there are some cyber attacks that are not mentioned in the report .

The board said , Future attacks are likely to be largely due to Log4j Often embedded in other software , Due to indirect dependence, it is difficult for enterprises to find running in their systems . They lighten Log4j The impact of vulnerabilities and the overall improvement of network security put forward some suggestions , This includes advising universities and community colleges to make cybersecurity training an integral part of their computer science degree and certification programs .

according to sonatype Statistical data (https://www.sonatype.com/resources/log4j-vulnerability-resource-center), stay Maven Central On , Vulnerable every working day Log4j There are still more than 100,000 Number of downloads per time .

Finally, ask ： Yours Log4j Has the vulnerability been fixed ？ Let's talk in the message area