Log4j Visualizer

The Log4j Visualizer does not work in High-Availability Clustering (HA-C) environments.


NEW IN 3.37.2

Log4j is the most popular logging framework used by Java software.  As we detailed in  our blog and are still monitoring in our  Log4j Vulnerability Resource Center , vulnerability researchers uncovered a critical vulnerability ( CVE-2021-44228 or "log4shell") in log4j.

In an effort to help the global software community defend themselves against this threat, we are providing an experimental Log4j Visualizer to all Nexus Repository OSS and Pro users to provide greater visibility into Maven log4j component downloads impacted by CVE-2021-44228.

Note that the Log4j Visualizer only captures information about the log4j.core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

The current Log4j Visualizer also only searches for this vulnerability using the specific path org/apache/logging/log4j/log4j-core.

Sonatype is providing this Log4j Visualizer for a limited time to all Nexus Repository OSS and Pro users due to the urgent threat that the log4j vulnerability poses to the global software community. All access and use of the Log4J Visualizer is governed by the terms of your agreement with Sonatype or, in the absence of such,  these terms . We may update or remove this feature completely in future versions.

Enabling the Capability

The Log4j Visualizer is disabled by default, and you must have the nx-all privilege to view the data.

When you log on to a version of Nexus Repository that includes the Log4j Visualizer, you will see a prompt explaining what the visualizer is and asking if you would like to enable the capability by selecting the Enable Capability button. You can also enable the Log4j Visualizer through the Capabilities section of Nexus Repository. 

Running the Recalculate Vulnerabilities Statistics Task

When you enable the Log4j Visualizer, Nexus Repository will automatically create the Statistics - Recalculate vulnerabilities statistics task and schedule it to run daily at midnight in the hosting box's time zone by default.

When first created, the task will be scheduled to run at midnight that night. If you want to see data sooner, you will need to go in and run the task manually by selecting the Run button on the task details screen.

Whenever this task runs, it refreshes the data set displayed in the visualizer. When this task runs, it first removes any existing data. Then, the logs processor will read all request log files in the default logs location for your Nexus Repository instance. This acts as the data source telling the visualizer how many downloads of log4j-core have taken place. The processor will read not only from the request log file from the current day, but also from the rotated logs files that are stored for a maximum of 90 days by default. 

Recommendations

To help you mitigate impact of any log4shell downloads, we have provided a list of recommendations in the Log4J Visualizer at the top of the screen and repeated here:

Short-Term Recommendations

  1. Encourage development teams to upgrade their log4j dependencies to a non-vulnerable version.
  2. Refer to the guidance in Sonatype's Find and Fix Log4j announcement.
  3. Don’t delete vulnerable log4j versions from your repositories except as a last resort. Fixing critical problems can be harder when missing dependencies cause builds to break.
  4. Stay up to date to the latest Log4j developments.

Longer-Term Recommendations

  1. Consider reducing anonymous access to your repositories so that you can more easily understand who is consuming vulnerable dependencies.
  2. Block vulnerable open source components and malicious attacks from being downloaded into your repositories using Nexus Firewall.
  3. Reduce remediation time by using Nexus Lifecycle for continuous application monitoring. 

Understanding the Data

Below the recommendations, the visualizer shows information about Maven log4j component downloads in your organization, including the number of Maven log4j component downloads impacted by CVE-2021-44228 broken down by repository, username, and IP address. 

There are three tables; each one displays different information:

  • One table breaks down how many times users downloaded log4j components impacted by CVE-2021-44228 from specific repositories.
  • Another table shows the usernames associated with accounts downloading log4j components impacted by CVE-2021-44228.
  • Finally, a third table displays the IP addresses that have downloaded log4j components impacted by CVE-2021-44228.