The Google Security Blog looks
into the ripple effects of the Log4j vulnerability.
Most artifacts that depend on log4j do so indirectly. The deeper
the vulnerability is in a dependency chain, the more steps are
required for it to be fixed. The following diagram shows a
histogram of how deeply an affected log4j package (core or api)
first appears in consumers dependency graphs. For greater than 80%
of the packages, the vulnerability is more than one level deep,
with a majority affected five levels down (and some as many as nine
levels down). These packages will require fixes throughout all
parts of the tree, starting from the deepest dependencies first.