The December disclosure of a security flaw in a widely used piece of logging software known as Log4j drew grave warnings from U.S. officials that the bug could open the door for a surge in cyberattacks.
But vulnerable versions of the free tool continue to be downloaded at least tens of thousands of times each day, according to a cybersecurity company that manages a repository for such open-source projects. The flawed updates make up more than one-third of Log4j downloads from the catalog, a portion that doesn’t appear to be shrinking.
These developers “don’t know what’s going on inside their software,” said Brian Fox, chief technology officer for the cybersecurity company Sonatype Inc. that runs the repository.
The Log4j vulnerability set off a global race for many companies to patch their computer systems and highlighted how much of the digital economy relies on open-source tools. Maintained by volunteers, Log4j is a free-to-use bit of code that helps track activity across many computer applications.
Mr. Fox’s company acts as a steward for Maven Central, a repository where software developers can access open-source code such as Log4j to include in their projects. On Wednesday afternoon, the platform counted more than 7,500 downloads an hour of versions of Log4j released before its initial security updates were published in December.
That total doesn’t necessarily reflect the number of organizations affected, Mr. Fox said, as developers building or updating their software may use automated tools that repeatedly request Log4j. But the figure does represent 36% of all requests directed toward old versions of the tool during that period.
“That ratio still kind of represents what’s going on across the entire ecosystem generally,” Mr. Fox said, adding that his firm has limited insight into who is still using the flawed software. “That’s pretty terrible.”
David Nalley, president of the Apache Software Foundation, the nonprofit that oversees the distribution of Log4j, said it is possible some developers are downloading old versions of the tool for security research or after evaluating the software’s potential threats to their organizations’ systems. Apache updated Log4j in December after a researcher at Chinese e-commerce firm Alibaba Group Holding Ltd. reported a bug that could allow attackers to execute code remotely and potentially take over computer systems they target. The nonprofit released subsequent fixes in response to additional security concerns.
Flawed forms of the code are still available because so many other pieces of software still rely on them, said Mr. Nalley, who shared estimates of the continuing downloads during a hearing Tuesday before the Senate Committee on Homeland Security and Governmental Affairs.
“There would be massive breakage of a number of systems if it disappeared, because they depend upon it,” he said in an interview.
Kurt John, chief information security officer for industrial conglomerate Siemens USA, advised companies that need to use such versions of Log4j to build security controls around it to detect fishy activity. Internally, Siemens USA has seen instances where Log4j was deployed in applications or networks that aren’t accessible from the internet, so they were less of a priority to fix, he said.
The bug has pushed some companies and governments to monitor the open-source tools that act as building blocks in their technology more carefully.
Last month, representatives for companies including Microsoft Corp. , Amazon.com Inc., Apple Inc. and Facebook parent Meta Platforms Inc. met with U.S. officials at the White House to discuss how to thwart such security threats. Additionally, the Biden administration last week unveiled a panel of federal officials and private-sector experts, modeled loosely on the National Transportation Safety Board, to investigate major cyber incidents. The Cyber Review Board’s first investigation will probe Log4j.
Even though the Log4j tool isn’t currently tied to many high-profile cyberattacks, security experts warn that the software’s ubiquity suggests related threats could last years. Speaking at the Senate hearing Tuesday, Jen Miller-Osborn, deputy director of threat intelligence at cybersecurity company Palo Alto Networks Inc., said attackers are using remotely controlled botnets to scan for weak points.
“The fact that [Log4j] has been adopted by botnets as well serves to highlight that this vulnerability is never going to die,” she said.
—Kim S. Nash contributed to this article
Write to David Uberti at david.uberti@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8