How the Log4j2 Vulnerability Threatens Millions of Java Projects and What to Do

Apache Log4j2 is a Java‑based logging tool widely used in business systems to record log information.

Recently, Log4j2 was found to have an epic, low‑cost, high‑impact vulnerability that allows an attacker to send a single command to control the target device. The flaw affects more than 60,000 popular open‑source packages and over 70% of enterprise online systems. Even after official patches, attackers repeatedly bypassed fixes, forcing major internet companies to work around the clock.

In recent years, major threat vulnerabilities have repeatedly emerged:

2014 – Heartbleed exposed two‑thirds of websites.

2017 – EternalBlue put millions of hosts at risk of ransomware.

2021 – Log4j2 again impacted more than 70% of enterprise systems.

Undoubtedly, these critical flaws keep internet enterprises and their users on edge.

01 Fatal Blow to Open‑Source Software

The Huoxian security team’s comprehensive analysis of Log4j2 and affected open‑source components revealed severe risks. Java ORM frameworks such as MyBatis and Hibernate are impacted, and because most Java applications interact with databases through ORM, any database‑related application is at high risk.

Analysis of the Maven repository shows that tens of thousands of foundational components are vulnerable, affecting millions of component versions. Due to space constraints, this article presents the risky components from different dimensions.

Current (incomplete) statistics from GitHub indicate that 60,644 open‑source projects have published 321,094 packages with risks, affecting many flagship projects of major open‑source foundations.

Top 10 projects by star count are listed below:

Top 10 Apache Foundation projects affected by the Log4j2 vulnerability are shown below:

Top 10 Java development frameworks impacted by Log4j2 are displayed below:

All data are sourced from Huoxian’s Apache Log4j2 vulnerability impact query system: https://log4j2.huoxian.cn.

02 Technical Implementation

Log4j2 is typically added to Maven/Gradle projects as a dependency for logging. During the investigation, we analyzed the entire Maven repository, performed relational analysis based on direct and indirect dependencies, and compiled a complete list of components affected by Log4j2.

We then correlated the affected components with open‑source projects on GitHub to identify each component’s corresponding project and its details.

03 Technical Support

Given the urgency of fixing the vulnerability, Huoxian provides free, powerful technical support to all enterprises. Online scanning is available at https://log4j2.huoxian.cn, or you can add the Huoxian assistant on WeChat to obtain a free absolute defense solution with full‑time expert assistance.

About Huoxian Security

Huoxian is a community‑driven cloud security company operating the Dongtai IAST and Huoxian Security Platform. Leveraging proprietary automated testing tools and a large pool of white‑hat experts, it helps enterprises mitigate security risks throughout the application lifecycle. Dongtai is the world’s first open‑source IAST product focused on DevSecOps, and the Huoxian platform is the first community‑native security crowdsourcing platform with nearly ten thousand registered white‑hat experts. Huoxian’s products and philosophy have attracted investment from prominent tech leaders such as Dr. Lu Qi, Matrix Partners China, and Wuyuan Capital. Clients include ByteDance, Meituan, Baidu, China Telecom, Bank of China, Sinopec, and many other major internet companies and state‑owned enterprises.