[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"sanity-4VoRqOWMjT8OnEto_a2eHBFSgs6pN9QGcJrX-ox7K3E":3,"sanity-wK215nob2ErkqBGp-WEmKtl6UqofpZ4nB1e--ZFe5A4":607},{"data":4,"sourceMap":-1},{"latestPodcast":5,"latestReleases":14,"post":39,"recent":582},[6],{"_id":7,"publishedAt":8,"slug":9,"sponsored":12,"title":13},"d52b334e-4233-4e7d-a10b-bfba1472c2fb","2026-07-07T07:40:00.000Z",{"_type":10,"current":11},"slug","agent-orchestration-is-so-two-years-ago",null," Agent orchestration is so two-years ago",[15,21,27,33],{"_id":16,"publishedAt":17,"slug":18,"title":20},"eb5b66eb-9410-4329-83bb-22bbff39402a","2026-04-28T13:00:00.000Z",{"_type":10,"current":19},"turn-scattered-knowledge-into-trusted-intelligence","Turning scattered knowledge into trusted intelligence: Stack Internal 2026.3",{"_id":22,"publishedAt":23,"slug":24,"title":26},"369c2401-b62e-4a37-8ff8-bf603023ecad","2026-03-02T15:03:00.988Z",{"_type":10,"current":25},"what-s-new-at-stack-overflow-march-2026","What’s new at Stack Overflow: March 2026",{"_id":28,"publishedAt":29,"slug":30,"title":32},"5e9053a4-07ea-447c-91ea-29e0b6228537","2026-02-02T15:00:00.000Z",{"_type":10,"current":31},"what-s-new-at-stack-overflow-february-2026","What’s new at Stack Overflow: February 2026",{"_id":34,"publishedAt":35,"slug":36,"title":38},"a1b538eb-a8a6-46d0-80a1-ac70ec9bb935","2026-01-05T10:00:00.000-05:00",{"_type":10,"current":37},"what-s-new-at-stack-overflow-january-2026","What’s new at Stack Overflow: January 2026",{"_createdAt":40,"_id":41,"_rev":42,"_type":43,"_updatedAt":44,"author":45,"body":62,"comments":533,"dateUrl":534,"excerpt":535,"image":536,"legacyBody":539,"product":12,"publishedAt":542,"slug":543,"sponsored":12,"tags":545,"title":581,"visible":533},"2023-05-24T12:50:58Z","wp-post-19415","dgl3SCUzppW3U2LvCoT2I8","blogPost","2023-07-13T14:56:11Z",[46],{"_createdAt":47,"_id":48,"_rev":49,"_type":50,"_updatedAt":51,"avatar":52,"employee":57,"name":58,"role":59,"slug":60},"2023-05-23T16:27:18Z","wp-author-285","6ITt6aNaOunu1bujzUbkCs","blogAuthor","2025-06-11T14:02:55Z",{"_type":53,"asset":54},"image",{"_ref":55,"_type":56},"image-30f6e867375f54c8b45633865f176554c93e4d29-1024x1024-jpg","reference","current","David Gibson","Staff Data Scientist",{"current":61},"dgibson",[63,97,149,190,193,201,210,240,258,266,283,288,306,336,344,363,396,404,408,416,476,480,488,496,499,517,525],{"_key":64,"_type":65,"children":66,"markDefs":90,"style":96},"9719fa19aaed","block",[67,72,77,81,86],{"_key":68,"_type":69,"marks":70,"text":71},"9719fa19aaed0","span",[],"When we published our ",{"_key":73,"_type":69,"marks":74,"text":76},"9719fa19aaed1",[75],"9a3cfd96ad7a","data analysis of the security questions on Stack Overflow",{"_key":78,"_type":69,"marks":79,"text":80},"9719fa19aaed2",[]," and the ",{"_key":82,"_type":69,"marks":83,"text":85},"9719fa19aaed3",[84],"84aa5226b379","Information Security Stack Exchange",{"_key":87,"_type":69,"marks":88,"text":89},"9719fa19aaed4",[]," back in October, we found that every time that there was a major vulnerability or breach, there would be a corresponding uptick in the number of questions asked. It made intuitive sense, but the data confirmed it. But we didn’t expect to have new data to confirm this trend so soon.",[91,94],{"_key":75,"_type":92,"href":93,"reference":12},"link","https:\u002F\u002Fstackoverflow.blog\u002F2021\u002F10\u002F11\u002Fshift-to-remote-work-prompted-more-cybersecurity-questions-than-any-breach\u002F",{"_key":84,"_type":92,"href":95,"reference":12},"https:\u002F\u002Fsecurity.stackexchange.com\u002F","normal",{"_key":98,"_type":65,"children":99,"markDefs":140,"style":96},"54f064053791",[100,104,109,113,118,122,127,131,136],{"_key":101,"_type":69,"marks":102,"text":103},"54f0640537910",[],"On December ",{"_key":105,"_type":69,"marks":106,"text":108},"54f0640537911",[107],"24268c9c95c2","10th",{"_key":110,"_type":69,"marks":111,"text":112},"54f0640537912",[]," (or ",{"_key":114,"_type":69,"marks":115,"text":117},"54f0640537913",[116],"cfe43aa7070a","9th",{"_key":119,"_type":69,"marks":120,"text":121},"54f0640537914",[]," depending on who you ask), 2021, the maintainers of Log4j disclosed that the very popular Java logging library had a serious security vulnerability, dubbed Log4Shell. The bad news is the vulnerability could allow attackers to gain control of any system running specific versions of Log4j; ",{"_key":123,"_type":69,"marks":124,"text":126},"54f0640537915",[125],"d833603379f8","potentially hundreds of millions of systems and projects were at risk",{"_key":128,"_type":69,"marks":129,"text":130},"54f0640537916",[],". The good news is only some versions are vulnerable, and the solution is pretty simple: ",{"_key":132,"_type":69,"marks":133,"text":135},"54f0640537917",[134],"b1babb9bbe1c","update Log4j to version 2.16+",{"_key":137,"_type":69,"marks":138,"text":139},"54f0640537918",[],".",[141,143,145,147],{"_key":107,"_type":92,"href":142,"reference":12},"https:\u002F\u002Fblogs.opentext.com\u002Flog4j-vulnerability-explained-and-how-to-respond\u002F",{"_key":116,"_type":92,"href":144,"reference":12},"https:\u002F\u002Fwww.datadoghq.com\u002Fblog\u002Flog4j-log4shell-vulnerability-overview-and-remediation\u002F",{"_key":125,"_type":92,"href":146,"reference":12},"https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Flog4j-what-is-known\u002F611718\u002F",{"_key":134,"_type":92,"href":148,"reference":12},"https:\u002F\u002Flogging.apache.org\u002Flog4j\u002F2.x\u002Fdownload.html",{"_key":150,"_type":65,"children":151,"markDefs":183,"style":96},"934858760a73",[152,156,161,165,170,174,179],{"_key":153,"_type":69,"marks":154,"text":155},"934858760a730",[],"To get a sense of the scale of the problem, ",{"_key":157,"_type":69,"marks":158,"text":160},"934858760a731",[159],"9f890d50df9d","we asked our followers on Twitter",{"_key":162,"_type":69,"marks":163,"text":164},"934858760a732",[]," about the vulnerability. User ",{"_key":166,"_type":69,"marks":167,"text":169},"934858760a733",[168],"c25e6c82deca","Bakhtiyar Garashov",{"_key":171,"_type":69,"marks":172,"text":173},"934858760a734",[],"said, “If someone says [they weren’t affected] it is because either they don't use Java or they don't log at all.” It’s risen to the level of national security, with big tech companies talking to the federal government about ",{"_key":175,"_type":69,"marks":176,"text":178},"934858760a735",[177],"7e8cb1efc4a7","how to better secure open source projects",{"_key":180,"_type":69,"marks":181,"text":182},"934858760a736",[]," that become widespread dependencies.",[184,186,188],{"_key":159,"_type":92,"href":185,"reference":12},"https:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481643170173636611",{"_key":168,"_type":92,"href":187,"reference":12},"https:\u002F\u002Ftwitter.com\u002FGarashovB",{"_key":177,"_type":92,"href":189,"reference":12},"https:\u002F\u002Fwww.siliconrepublic.com\u002Fenterprise\u002Fopen-source-google-github-white-house-summit",{"_key":191,"_type":192,"markDefs":12,"url":185},"d6251b4c6e0c","embed",{"_key":194,"_type":65,"children":195,"markDefs":200,"style":96},"3c39f0c5efb9",[196],{"_key":197,"_type":69,"marks":198,"text":199},"3c39f0c5efb90",[],"Suddenly, the version of Log4j implemented in your software became very important. Right on cue, thousands of developers checked what version their systems were using, and for those unsure about how to do that, the Stack Overflow community was there to help.",[],{"_key":202,"_type":65,"children":203,"markDefs":208,"style":209},"724a0c15fbca",[204],{"_key":205,"_type":69,"marks":206,"text":207},"724a0c15fbca0",[],"A sudden increase in traffic",[],"h2",{"_key":211,"_type":65,"children":212,"markDefs":235,"style":96},"2bce1c427e02",[213,217,222,226,231],{"_key":214,"_type":69,"marks":215,"text":216},"2bce1c427e020",[],"Over five years ago, ",{"_key":218,"_type":69,"marks":219,"text":221},"2bce1c427e021",[220],"7748ed915a9c","markthegrea",{"_key":223,"_type":69,"marks":224,"text":225},"2bce1c427e022",[]," asked, “",{"_key":227,"_type":69,"marks":228,"text":230},"2bce1c427e023",[229],"fb8c5531f860","How can I find out what version of Log4j I am using?",{"_key":232,"_type":69,"marks":233,"text":234},"2bce1c427e024",[],"” At the time, this was a pretty innocuous question; now, it was vital.",[236,238],{"_key":220,"_type":92,"href":237,"reference":12},"https:\u002F\u002Fstackoverflow.com\u002Fusers\u002F105408\u002Fmarkthegrea",{"_key":229,"_type":92,"href":239,"reference":12},"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002F37438652\u002Fhow-can-i-find-out-what-version-of-log4j-i-am-using",{"_key":241,"_type":65,"children":242,"markDefs":255,"style":96},"a76905a7ddab",[243,247,252],{"_key":244,"_type":69,"marks":245,"text":246},"a76905a7ddab0",[],"Thanks to the sudden importance of the answer, this question received 17 times more views (207K) in the last 30 days than it did in the previous five years combined. It even received a new top answer for developers looking to find out if any project of theirs could be running a vulnerable version, as some projects automatically include Log4j, leading to multiple versions on a single server. The answer even came with ",{"_key":248,"_type":69,"marks":249,"text":251},"a76905a7ddab1",[250],"bfbefe055af1","a program to scan all .jar files on a server and highlight vulnerable Log4j versions",{"_key":253,"_type":69,"marks":254,"text":139},"a76905a7ddab2",[],[256],{"_key":250,"_type":92,"href":257,"reference":12},"https:\u002F\u002Fgithub.com\u002Fmergebase\u002Flog4j-detector",{"_key":259,"_type":65,"children":260,"markDefs":265,"style":96},"a449d60aaeec",[261],{"_key":262,"_type":69,"marks":263,"text":264},"a449d60aaeec0",[],"At Stack Overflow, we call it knowledge reuse: when questions and answers are shared, they can be referenced, reused, and updated. This was a perfect example of an existing question that proved relevant to what developers needed to know in 2021.",[],{"_key":267,"_type":65,"children":268,"markDefs":282,"style":96},"0a57aab50e31",[269,273,278],{"_key":270,"_type":69,"marks":271,"text":272},"0a57aab50e310",[],"Besides the heavy activity on this question, the tag itself saw a jump in views. Web traffic to ",{"_key":274,"_type":69,"marks":275,"text":277},"0a57aab50e311",[276],"code","log4j",{"_key":279,"_type":69,"marks":280,"text":281},"0a57aab50e312",[]," questions totaled 766K views in the first seven days after the vulnerability was announced, averaging 110K views per day. That’s a 1,122% increase over the 9K average views per day before the announcement.",[],{"_key":284,"_type":53,"alt":12,"asset":285,"caption":287,"markDefs":12},"b84f751c0b4b",{"_ref":286,"_type":56},"image-af9f2327b53829b2f2c4a220572f0be3aad22df9-1600x838-png","",{"_key":289,"_type":65,"children":290,"markDefs":303,"style":96},"f0d43e7b6c06",[291,295,299],{"_key":292,"_type":69,"marks":293,"text":294},"f0d43e7b6c060",[],"Obviously, when something changes with a piece of technology, users will ask new questions, doubly so when what’s changed is a mission-critical security vulnerability. Users have asked 325 new ",{"_key":296,"_type":69,"marks":297,"text":277},"f0d43e7b6c061",[298,276],"66fc4b471b09",{"_key":300,"_type":69,"marks":301,"text":302},"f0d43e7b6c062",[]," questions in the first 30 days since the vulnerability was announced, nearly double the total number of questions asked previously. For the first seven days after the announcement, the tag averaged 20 new questions a day. Compare that with the volume before the announcement: an average of one lonely question per day.",[304],{"_key":298,"_type":92,"href":305,"reference":12},"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002Ftagged\u002Flog4j",{"_key":307,"_type":65,"children":308,"markDefs":331,"style":96},"3ec857173ee5",[309,313,318,322,327],{"_key":310,"_type":69,"marks":311,"text":312},"3ec857173ee50",[],"The vulnerability itself got a new tag: ",{"_key":314,"_type":69,"marks":315,"text":317},"3ec857173ee51",[316,276],"37634e50b480","log4shell",{"_key":319,"_type":69,"marks":320,"text":321},"3ec857173ee52",[],". This tag saw 13 questions asked and received over 25K views. The most popular of these new questions, “",{"_key":323,"_type":69,"marks":324,"text":326},"3ec857173ee53",[325],"9e407441163b","How can I mitigate the log4shell vulnerability in version 1.2 of Log4j?",{"_key":328,"_type":69,"marks":329,"text":330},"3ec857173ee54",[],",” garnered 22K views. The fact that this popular question was marked a duplicate is no surprise—people in a crisis generally have the same questions.",[332,334],{"_key":316,"_type":92,"href":333,"reference":12},"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002Ftagged\u002Flog4shell?tab=Votes",{"_key":325,"_type":92,"href":335,"reference":12},"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002F70312033\u002Fhow-can-i-mitigate-the-log4shell-vulnerability-in-version-1-2-of-log4j",{"_key":337,"_type":65,"children":338,"markDefs":343,"style":209},"c1947e4aa380",[339],{"_key":340,"_type":69,"marks":341,"text":342},"c1947e4aa3800",[],"Changes in what viewers wanted",[],{"_key":345,"_type":65,"children":346,"markDefs":360,"style":96},"832b4455692d",[347,351,356],{"_key":348,"_type":69,"marks":349,"text":350},"832b4455692d0",[],"The top ten most viewed questions since the announcement have all been related to the vulnerability in some form, with eight of them asked after the announcement and explicitly mentioning the vulnerability. The remaining two include the question discussed above about finding the version and another five-year-old question, “",{"_key":352,"_type":69,"marks":353,"text":355},"832b4455692d1",[354],"49bcc1f4c13f","Migrating from Log4j to Log4j2 - properties file configuration",{"_key":357,"_type":69,"marks":358,"text":359},"832b4455692d2",[],",” which received 19K views since the disclosure.",[361],{"_key":354,"_type":92,"href":362,"reference":12},"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002F35900555\u002Fmigrating-from-log4j-to-log4j2-properties-file-configuration",{"_key":364,"_type":65,"children":365,"markDefs":395,"style":96},"23fa08d27b43",[366,370,375,379,383,387,391],{"_key":367,"_type":69,"marks":368,"text":369},"23fa08d27b430",[],"After the disclosure, questions clearly shifted to directly reference the vulnerability. The words ",{"_key":371,"_type":69,"marks":372,"text":374},"23fa08d27b431",[373],"em","vulnerability",{"_key":376,"_type":69,"marks":377,"text":378},"23fa08d27b432",[],", ",{"_key":380,"_type":69,"marks":381,"text":382},"23fa08d27b433",[373],"version",{"_key":384,"_type":69,"marks":385,"text":386},"23fa08d27b434",[],", and ",{"_key":388,"_type":69,"marks":389,"text":390},"23fa08d27b435",[373],"cve",{"_key":392,"_type":69,"marks":393,"text":394},"23fa08d27b436",[]," were among the top five words mentioned after the disclosure, whereas these words were rarely mentioned before it.",[],{"_key":397,"_type":65,"children":398,"markDefs":403,"style":96},"2e7caca5077f",[399],{"_key":400,"_type":69,"marks":401,"text":402},"2e7caca5077f0",[373],"Pre-Vulnerability period includes the previous 325 questions asked. Post-Vulnerability period is from December 10th 2021 to January 10th 2022.",[],{"_key":405,"_type":53,"alt":12,"asset":406,"caption":287,"markDefs":12},"b1b9e2461222",{"_ref":407,"_type":56},"image-5e745f00935d3baeeb436396059f34fe98ce8cf3-1600x838-png",{"_key":409,"_type":65,"children":410,"markDefs":415,"style":96},"a04b6cc11902",[411],{"_key":412,"_type":69,"marks":413,"text":414},"a04b6cc119020",[],"When looking at the top 100 words used before and after the announcement it becomes even more clear that the majority of new questions are directly related to the vulnerability. Specific Log4j version numbers are referenced in the titles (1.2.17, 1.2, 2.17). We even see Logback, a successor to Log4j, start to appear in the titles.",[],{"_key":417,"_type":65,"children":418,"markDefs":475,"style":96},"0dad110b532d",[419,423,428,431,435,438,442,446,449,452,456,460,464,468,472],{"_key":420,"_type":69,"marks":421,"text":422},"0dad110b532d0",[],"We broadened our semantic analysis to include more than just the top five words to reveal what users were trying to learn before and after the vulnerability. Words like ",{"_key":424,"_type":69,"marks":425,"text":427},"0dad110b532d1",[426],"strong","logs",{"_key":429,"_type":69,"marks":430,"text":378},"0dad110b532d2",[],{"_key":432,"_type":69,"marks":433,"text":434},"0dad110b532d3",[426],"file",{"_key":436,"_type":69,"marks":437,"text":386},"0dad110b532d4",[],{"_key":439,"_type":69,"marks":440,"text":441},"0dad110b532d5",[426],"logging",{"_key":443,"_type":69,"marks":444,"text":445},"0dad110b532d6",[]," were frequently used prior to the announcement, which suggests that these questions were in regards to Log4j's core functionality. After the vulnerability there was a clear shift where new questions were a direct result of the vulnerability. Not only did the words ",{"_key":447,"_type":69,"marks":448,"text":374},"0dad110b532d7",[426],{"_key":450,"_type":69,"marks":451,"text":378},"0dad110b532d8",[],{"_key":453,"_type":69,"marks":454,"text":455},"0dad110b532d9",[426],"vulnerable,",{"_key":457,"_type":69,"marks":458,"text":459},"0dad110b532d10",[]," and ",{"_key":461,"_type":69,"marks":462,"text":463},"0dad110b532d11",[426],"security",{"_key":465,"_type":69,"marks":466,"text":467},"0dad110b532d12",[]," begin to appear, but we also see specific versions being referenced and the vulnerability itself ",{"_key":469,"_type":69,"marks":470,"text":471},"0dad110b532d13",[426],"CVE-2021-44228",{"_key":473,"_type":69,"marks":474,"text":139},"0dad110b532d14",[],[],{"_key":477,"_type":53,"alt":12,"asset":478,"caption":287,"markDefs":12},"afd083187541",{"_ref":479,"_type":56},"image-31b08b52edbfdc7d5aeca157bf745634f8b03368-1600x1375-png",{"_key":481,"_type":65,"children":482,"markDefs":487,"style":209},"f8752498dd0f",[483],{"_key":484,"_type":69,"marks":485,"text":486},"f8752498dd0f0",[],"Questions in a crisis",[],{"_key":489,"_type":65,"children":490,"markDefs":495,"style":96},"9cc9e3d6d413",[491],{"_key":492,"_type":69,"marks":493,"text":494},"9cc9e3d6d4130",[],"Any security vulnerability in a software dependency creates a whole lot of uncertainty for its users. Does this affect me? How can I tell? And what do I do if I’m affected? As a site where technologists go to gain and share knowledge—specifically those who create software—we have a window into the uncertainties the software community is facing. Getting the answers they need, when they need them is essential.",[],{"_key":497,"_type":192,"markDefs":12,"url":498},"2ea9e7a9da66","https:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481644344213790721",{"_key":500,"_type":65,"children":501,"markDefs":514,"style":96},"bcbad025bb58",[502,506,511],{"_key":503,"_type":69,"marks":504,"text":505},"bcbad025bb580",[],"This vulnerability may have been fixed in an update, but the challenge with open source is that updates don’t always permeate the industry retroactively. Vulnerabilities like Log4j will live on in the affected versions. Studies have found that over ",{"_key":507,"_type":69,"marks":508,"text":510},"bcbad025bb581",[509],"5ccd1f95f32e","80% of projects still use outdated dependencies",{"_key":512,"_type":69,"marks":513,"text":139},"bcbad025bb582",[],[515],{"_key":509,"_type":92,"href":516,"reference":12},"https:\u002F\u002Farxiv.org\u002Fabs\u002F1709.04621",{"_key":518,"_type":65,"children":519,"markDefs":524,"style":96},"58cdd0e3c382",[520],{"_key":521,"_type":69,"marks":522,"text":523},"58cdd0e3c3820",[],"“There are many fantastic, free tools available to software developers, things we use everyday that we don't even think twice about using,” Matt Kiernander, technical advocate here at Stack Overflow. “The Log4J vulnerability is a prime example of what could go wrong when we trust too casually. Log4j was built by Apache, a well known and trusted entity that's provided much value to the open source community over the years. If this can happen with Apache, what about that third party library you downloaded from npm that had 3.5 stars but 'did the trick?' Many devs will download things just because they work without considering the potential security impacts it could have in an application. ”",[],{"_key":526,"_type":65,"children":527,"markDefs":532,"style":96},"12d4d462606d",[528],{"_key":529,"_type":69,"marks":530,"text":531},"12d4d462606d0",[],"There’s a huge number of free, open source libraries available to make your development life easier, but these dependencies are out of your control—as are the security issues that they face. When project maintainers realize that they are vulnerable to system takeovers and data exfiltration, Stack Overflow will be here to help them locate and mitigate these issues.",[],true,"2022\u002F01\u002F19","When the Log4j security issue was disclosed, developers came looking for answers. We took a look at our site data around it. ",{"_type":53,"asset":537},{"_ref":538,"_type":56},"image-ea57e82abb98b70aee17ce62999f3292fbf062f0-2400x1256-png",{"code":540,"language":541},"\u003C!-- wp:paragraph -->\n\u003Cp>When we published our \u003Ca href=\"https:\u002F\u002Fstackoverflow.blog\u002F2021\u002F10\u002F11\u002Fshift-to-remote-work-prompted-more-cybersecurity-questions-than-any-breach\u002F\">data analysis of the security questions on Stack Overflow\u003C\u002Fa> and the \u003Ca href=\"https:\u002F\u002Fsecurity.stackexchange.com\u002F\">Information Security Stack Exchange\u003C\u002Fa> back in October, we found that every time that there was a major vulnerability or breach, there would be a corresponding uptick in the number of questions asked. It made intuitive sense, but the data confirmed it. But we didn’t expect to have new data to confirm this trend so soon.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>On December \u003Ca href=\"https:\u002F\u002Fblogs.opentext.com\u002Flog4j-vulnerability-explained-and-how-to-respond\u002F\">10th\u003C\u002Fa> (or \u003Ca href=\"https:\u002F\u002Fwww.datadoghq.com\u002Fblog\u002Flog4j-log4shell-vulnerability-overview-and-remediation\u002F\">9th\u003C\u002Fa> depending on who you ask), 2021, the maintainers of Log4j disclosed that the very popular Java logging library had a serious security vulnerability, dubbed Log4Shell. The bad news is the vulnerability could allow attackers to gain control of any system running specific versions of Log4j; \u003Ca href=\"https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Flog4j-what-is-known\u002F611718\u002F\">potentially hundreds of millions of systems and projects were at risk\u003C\u002Fa>. The good news is only some versions are vulnerable, and the solution is pretty simple: \u003Ca href=\"https:\u002F\u002Flogging.apache.org\u002Flog4j\u002F2.x\u002Fdownload.html\">update Log4j to version 2.16+\u003C\u002Fa>.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>To get a sense of the scale of the problem, \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481643170173636611\">we asked our followers on Twitter\u003C\u002Fa> about the vulnerability. User \u003Ca href=\"https:\u002F\u002Ftwitter.com\u002FGarashovB\">Bakhtiyar Garashov\u003C\u002Fa>\u003Cstrong> \u003C\u002Fstrong>said, “If someone says [they weren’t affected] it is because either they don't use Java or they don't log at all.” It’s risen to the level of national security, with big tech companies talking to the federal government about \u003Ca href=\"https:\u002F\u002Fwww.siliconrepublic.com\u002Fenterprise\u002Fopen-source-google-github-white-house-summit\">how to better secure open source projects\u003C\u002Fa> that become widespread dependencies.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:embed {\"url\":\"https:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481643170173636611\",\"type\":\"rich\",\"providerNameSlug\":\"twitter\",\"responsive\":true,\"align\":\"center\"} -->\n\u003Cfigure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\u003Cdiv class=\"wp-block-embed__wrapper\">\nhttps:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481643170173636611\n\u003C\u002Fdiv>\u003C\u002Ffigure>\n\u003C!-- \u002Fwp:embed -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>Suddenly, the version of Log4j&nbsp; implemented in your software became very important. Right on cue, thousands of developers checked what version their systems were using, and for those unsure about how to do that, the Stack Overflow community was there to help.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:heading -->\n\u003Ch2 id=\"h-a-sudden-increase-in-traffic\">A sudden increase in traffic\u003C\u002Fh2>\n\u003C!-- \u002Fwp:heading -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>Over five years ago, \u003Ca href=\"https:\u002F\u002Fstackoverflow.com\u002Fusers\u002F105408\u002Fmarkthegrea\">markthegrea\u003C\u002Fa> asked, “\u003Ca href=\"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002F37438652\u002Fhow-can-i-find-out-what-version-of-log4j-i-am-using\">How can I find out what version of Log4j I am using?\u003C\u002Fa>” At the time, this was a pretty innocuous question; now, it was vital.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>Thanks to the sudden importance of the answer, this question received 17 times more views (207K) in the last 30 days than it did in the previous five years combined. It even received a new top answer for developers looking to find out if any project of theirs could be running a vulnerable version, as some projects automatically include Log4j, leading to multiple versions on a single server. The answer even came with \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmergebase\u002Flog4j-detector\">a program to scan all .jar files on a server and highlight vulnerable Log4j versions\u003C\u002Fa>.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>At Stack Overflow, we call it knowledge reuse: when questions and answers are shared, they can be referenced, reused, and updated. This was a perfect example of an existing question that proved relevant to what developers needed to know in 2021.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>Besides the heavy activity on this question, the tag itself saw a jump in views. Web traffic to \u003Ccode>log4j\u003C\u002Fcode> questions totaled 766K views in the first seven days after the vulnerability was announced, averaging 110K views per day. That’s a 1,122% increase over the 9K average views per day before the announcement.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:image -->\n\u003Cfigure class=\"wp-block-image\">\u003Cimg src=\"https:\u002F\u002Flh5.googleusercontent.com\u002FUX1juZvUOspLLlNnv7xwpq_TBN9pdVaT8kRYRV0IA0KUsiPxShk3EHItIkOol0YXHVR2-UKcBpCsdxe6igH3C3rug0_AzKmA6VK6EhqbfPW2ZFZqKpOYS3wwseixbbFxkKUaRoaU\" alt=\"\"\u002F>\u003C\u002Ffigure>\n\u003C!-- \u002Fwp:image -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>Obviously, when something changes with a piece of technology, users will ask new questions, doubly so when what’s changed is a mission-critical security vulnerability. Users have asked 325 new \u003Ca href=\"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002Ftagged\u002Flog4j\">\u003Ccode>log4j\u003C\u002Fcode>\u003C\u002Fa> questions in the first 30 days since the vulnerability was announced, nearly double the total number of questions asked previously. For the first seven days after the announcement, the tag averaged 20 new questions a day. Compare that with the volume before the announcement: an average of one lonely question per day.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>The vulnerability itself got a new tag: \u003Ca href=\"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002Ftagged\u002Flog4shell?tab=Votes\">\u003Ccode>log4shell\u003C\u002Fcode>\u003C\u002Fa>. This tag saw 13 questions asked and received over 25K views. The most popular of these new questions, “\u003Ca href=\"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002F70312033\u002Fhow-can-i-mitigate-the-log4shell-vulnerability-in-version-1-2-of-log4j\">How can I mitigate the log4shell vulnerability in version 1.2 of Log4j?\u003C\u002Fa>,” garnered 22K views. The fact that this popular question was marked a duplicate is no surprise—people in a crisis generally have the same questions. \u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:heading -->\n\u003Ch2 id=\"h-changes-in-what-viewers-wanted\">Changes in what viewers wanted\u003C\u002Fh2>\n\u003C!-- \u002Fwp:heading -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>The top ten most viewed questions since the announcement have all been related to the vulnerability in some form, with eight of them asked after the announcement and explicitly mentioning the vulnerability. The remaining two include the question discussed above about finding the version and another five-year-old question, “\u003Ca href=\"https:\u002F\u002Fstackoverflow.com\u002Fquestions\u002F35900555\u002Fmigrating-from-log4j-to-log4j2-properties-file-configuration\">Migrating from Log4j to Log4j2 - properties file configuration\u003C\u002Fa>,” which received 19K views since the disclosure.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>After the disclosure, questions clearly shifted to directly reference the vulnerability. The words \u003Cem>vulnerability\u003C\u002Fem>, \u003Cem>version\u003C\u002Fem>, and \u003Cem>cve\u003C\u002Fem> were among the top five words mentioned after the disclosure, whereas these words were rarely mentioned before it.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>\u003Cem>Pre-Vulnerability period includes the previous 325 questions asked. Post-Vulnerability period is from December 10th 2021 to January 10th 2022.\u003C\u002Fem>\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:image -->\n\u003Cfigure class=\"wp-block-image\">\u003Cimg src=\"https:\u002F\u002Flh4.googleusercontent.com\u002FHSJ6714MYkz0-7Dmif24eNVqkU3hv-B9bZwmK-1cUpcfKcTUevtDrq2om9lZBaCWWEHFRRTH08fGKiT4tD8O1VvJ2CVCFZfj7WReheIomu-7-xnDI98GXgefM72vih1pZBnde7s-\" alt=\"\"\u002F>\u003C\u002Ffigure>\n\u003C!-- \u002Fwp:image -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>When looking at the top 100 words used before and after the announcement it becomes even more clear that the majority of new questions are directly related to the vulnerability. Specific Log4j version numbers are referenced in the titles (1.2.17, 1.2, 2.17). We even see Logback, a successor to Log4j, start to appear in the titles.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>We broadened our semantic analysis to include more than just the top five words to reveal what users were trying to learn before and after the vulnerability. Words like \u003Cstrong>logs\u003C\u002Fstrong>, \u003Cstrong>file\u003C\u002Fstrong>, and \u003Cstrong>logging\u003C\u002Fstrong> were frequently used prior to the announcement, which suggests that these questions were in regards to Log4j's core functionality. After the vulnerability there was a clear shift where new questions were a direct result of the vulnerability. Not only did the words \u003Cstrong>vulnerability\u003C\u002Fstrong>, \u003Cstrong>vulnerable,\u003C\u002Fstrong> and \u003Cstrong>security\u003C\u002Fstrong> begin to appear, but we also see specific versions being referenced and the vulnerability itself \u003Cstrong>CVE-2021-44228\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:image -->\n\u003Cfigure class=\"wp-block-image\">\u003Cimg src=\"https:\u002F\u002Flh4.googleusercontent.com\u002FO_jhMSKzYeLkOtYV4_rOm6N_K8XTq9-RSH2_JctHeo0gx6x3D8dPHSRAhCkW6ibF6A39Fxh1TWhMiwnHW9IzsdmBP3gZG8ejMLQaFU2NwGvJxI57KyNgpA1Ijj7D-3jGqC8vmoWh\" alt=\"\"\u002F>\u003C\u002Ffigure>\n\u003C!-- \u002Fwp:image -->\n\n\u003C!-- wp:heading -->\n\u003Ch2 id=\"h-questions-in-a-crisis\">Questions in a crisis\u003C\u002Fh2>\n\u003C!-- \u002Fwp:heading -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>Any security vulnerability in a software dependency creates a whole lot of uncertainty for its users. Does this affect me? How can I tell? And what do I do if I’m affected? As a site where technologists go to gain and share knowledge—specifically those who create software—we have a window into the uncertainties the software community is facing. Getting the answers they need, when they need them is essential.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:embed {\"url\":\"https:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481644344213790721\",\"type\":\"rich\",\"providerNameSlug\":\"twitter\",\"responsive\":true,\"align\":\"center\"} -->\n\u003Cfigure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\u003Cdiv class=\"wp-block-embed__wrapper\">\nhttps:\u002F\u002Ftwitter.com\u002FStackOverflow\u002Fstatus\u002F1481644344213790721\n\u003C\u002Fdiv>\u003C\u002Ffigure>\n\u003C!-- \u002Fwp:embed -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>This vulnerability may have been fixed in an update, but the challenge with open source is that updates don’t always permeate the industry retroactively. Vulnerabilities like Log4j will live on in the affected versions. Studies have found that over \u003Ca href=\"https:\u002F\u002Farxiv.org\u002Fabs\u002F1709.04621\">80% of projects still use outdated dependencies\u003C\u002Fa>.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>“There are many fantastic, free tools available to software developers, things we use everyday that we don't even think twice about using,” Matt Kiernander, technical advocate here at Stack Overflow. “The Log4J vulnerability is a prime example of what could go wrong when we trust too casually. Log4j was built by Apache, a well known and trusted entity that's provided much value to the open source community over the years. If this can happen with Apache, what about that third party library you downloaded from npm that had 3.5 stars but 'did the trick?' Many devs will download things just because they work without considering the potential security impacts it could have in an application. ”\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->\n\n\u003C!-- wp:paragraph -->\n\u003Cp>There’s a huge number of free, open source libraries available to make your development life easier, but these dependencies are out of your control—as are the security issues that they face. When project maintainers realize that they are vulnerable to system takeovers and data exfiltration, Stack Overflow will be here to help them locate and mitigate these issues.&nbsp;\u003C\u002Fp>\n\u003C!-- \u002Fwp:paragraph -->","html","2022-01-19T20:35:40.000Z",{"current":544},"heres-how-stack-overflow-users-responded-to-log4shell-the-log4j-vulnerability-affecting-almost-everyone",[546,554,559,563,568,571,574,579],{"_createdAt":547,"_id":548,"_rev":549,"_type":550,"_updatedAt":547,"slug":551,"title":553},"2023-05-23T16:43:21Z","wp-tagcat-stackoverflowknows","9HpbCsT2tq0xwozQfkc4ih","blogTag",{"current":552},"stackoverflowknows","#StackOverflowKnows",{"_createdAt":547,"_id":555,"_rev":549,"_type":550,"_updatedAt":547,"slug":556,"title":558},"wp-tagcat-community",{"current":557},"community","Community",{"_createdAt":547,"_id":560,"_rev":549,"_type":550,"_updatedAt":547,"slug":561,"title":562},"wp-tagcat-data",{"current":562},"data",{"_createdAt":547,"_id":564,"_rev":549,"_type":550,"_updatedAt":547,"slug":565,"title":567},"wp-tagcat-insights",{"current":566},"insights","Insights",{"_createdAt":547,"_id":569,"_rev":549,"_type":550,"_updatedAt":547,"slug":570,"title":277},"wp-tagcat-log4j",{"current":277},{"_createdAt":547,"_id":572,"_rev":549,"_type":550,"_updatedAt":547,"slug":573,"title":463},"wp-tagcat-security",{"current":463},{"_createdAt":547,"_id":575,"_rev":549,"_type":550,"_updatedAt":547,"slug":576,"title":578},"wp-tagcat-survey",{"current":577},"survey","Survey",{"_createdAt":547,"_id":575,"_rev":549,"_type":550,"_updatedAt":547,"slug":580,"title":578},{"current":577},"Here’s how Stack Overflow users responded to Log4Shell, the Log4j vulnerability affecting almost everyone",[583,589,595,601],{"_id":584,"publishedAt":585,"slug":586,"sponsored":12,"title":588},"76c9771b-34e6-4d98-8641-ecefc711f0ef","2026-07-06T15:23:34.559Z",{"_type":10,"current":587},"when-the-sensor-starts-thinking-snortml-agentic-ai-and-the-evolving-architecture-of-intrusion-detection","When the sensor starts thinking: SnortML, agentic AI, and the evolving architecture of intrusion detection",{"_id":590,"publishedAt":591,"slug":592,"sponsored":12,"title":594},"28e560af-f0aa-4d46-bd90-f435ad604aa7","2026-06-26T14:00:27.102Z",{"_type":10,"current":593},"paging-charity-how-can-engineering-leaders-avoid-becoming-bond-villains","Paging Charity! How can engineering leaders avoid becoming Bond villains?",{"_id":596,"publishedAt":597,"slug":598,"sponsored":12,"title":600},"4b22c2a3-3779-4966-93eb-5230391dbdce","2026-06-23T14:08:58.595Z",{"_type":10,"current":599},"your-ai-shipped-a-backend-that-boots-that-is-the-whole-problem","Your AI shipped a backend that boots. That is the whole problem.",{"_id":602,"publishedAt":603,"slug":604,"sponsored":12,"title":606},"5cf362e1-fe7b-45af-b69c-914731c6a052","2026-06-23T14:00:00.000Z",{"_type":10,"current":605},"the-2026-developer-survey-is-now-open-for-human-developers-only","The 2026 Developer Survey is now open (for human developers only)!",{"data":608,"sourceMap":-1},{"count":609,"lastTimestamp":610},2,"2023-05-25T09:47:44Z"]