Over 80% of Java packages stored on Maven Central Repository have log4j as an indirect dependency, with most of them burying the vulnerable version five levels deep, says Google's Open Source Insights Team.