March 11 — It has been nearly three months since the Apache Foundation revealed the Log4j vulnerability and provided a fix for it. However, the vulnerable versions of Log4j are still being downloaded 41% of the time. This data comes from Sonatype, the administrator of the Maven Central Java package repository where developers can download Log4j.

Why are vulnerable versions of Log4j available for download in the first place?

This may be a head scratcher, given how widespread the flaw is and the relative ease with which it can be exploited.

There is a couple reasons for the continued downloads.

First, automated build systems are required to download a specific version build due to software dependencies. Removing  vulnerable versions of Log4j from Maven Central is risky, as some developers have to download a vulnerable version to prevent conflicts in a software update. Unfortunately, if the organization maintaining that software has ignored the Log4j news, that application is at risk of being exploited. Because Log4j is integral to many Java applications, and is embedded several layers deep within them, this has made it very hard for organizations to remediate the problem.

A second reason for the high number of Log4j downloads is that researchers could be testing their defenses, as well as threat actors who could be testing their cyber weapons.

At the end of the day, it’s best for the community to make their own judgment and to do their due diligence when it comes to maintaining secure software.

For more information about building cyber security resilience, see CyberTalk.org’s past coverage.