Flawed Log4j Is Still Being Downloaded, Despite FTC Warnings

Vulnerable versions persist because so many other pieces of software still rely on them.

February 11, 2022

Log4j Vulnerability Information

ALEXANDRIA, Va.—Despite warnings from the Federal Trade Commission, vulnerable versions of Log4j software continue to be downloaded at least tens of thousands of times each day, reports the Wall Street Journal.

These developers “don’t know what’s going on inside their software,” Brian Fox, chief technology officer for the cybersecurity company Sonatype Inc., told the Journal.

Maintained by volunteers, Log4j is a free-to-use, ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Log4j was updated in December after Chinese e-commerce firm Alibaba reported a bug that could allow attackers to execute code remotely and potentially take over computer systems they target.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. ... It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” wrote the FTC in a blog post.

It’s possible that some developers are downloading old versions of the tool for security research or after evaluating the software’s potential threats to their organizations’ systems, reports the Journal. Flawed versions of the code are still available because so many other pieces of software still rely on them.

“There would be massive breakage of a number of systems if it disappeared, because they depend upon it,” David Nalley, president of the Apache Software Foundation, said in an interview.

Companies that must use flawed version of Log4j should build security walls around it to detect suspicious activity. Additionally, here are five steps businesses can take to avoid the Log4j vulnerability.