Welcome to the JFrog Blog

Latest from Xray :

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

May 30, 2024 Batel Zohar, JFrog Developer Advocate Carmit Hershman, JFrog Senior Software Architect, CTO Office

8 min read

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects. This integration covers everything from curating open source packages, coding, CI, release management, deployment and…

Read More
Log4j Vulnerability Alert: 100s of Exposed Packages Uncovered in Maven Central

Log4j Vulnerability Alert: 100s of Exposed Packages Uncovered in Maven Central

December 30, 2021 Ilya Khivrich | 5 min read

The high risk associated with newly discovered vulnerabilities in the highly popular Apache Log4j library - CVE-2021-44228 (also known as Log4Shell) and CVE-2021-45046 - has led to a security frenzy of unusual scale and urgency. Developers and security teams are pressed to investigate the impact of  Log4j vulnerabilities on their software, revealing multiple technical challenges…
Read More
Log4j Detection with JFrog OSS Scanning Tools

Log4j Detection with JFrog OSS Scanning Tools

December 28, 2021 Ilya Khivrich | 4 min read

The discovery of the Log4Shell vulnerability in the ubiquitous Apache Log4j package is a singular event in terms of both its impact and severity. Over 1 million attack attempts exploiting the Log4Shell vulnerability were detected within days after it was exposed, and it may take years before we see its full impact. While it's hard…
Read More
Catching Log4j in the Wild: Find, Fix and Fortify

Catching Log4j in the Wild: Find, Fix and Fortify

December 23, 2021 Gianni Truzzi | 10 min read

At many organizations, the surprise discovery that the widely used Log4Shell open source software has harbored a longtime critical vulnerability was as if Scrooge and the Grinch had teamed up for the biggest holiday heist of all. Incident response teams across the globe have scrambled to remediate thousands, if not millions of applications. “For cybercriminals this…
Read More
Log4j Log4Shell Vulnerability Q&A

Log4j Log4Shell Vulnerability Q&A

December 21, 2021 Asaf Cohen | 5 min read

In our recent webinar, Log4j Log4Shell Vulnerability Explained: All You Need To Know, our  Senior Director Security Research expert Shachar Menashe shared information on the security issue and how to detect and remediate it. We are happy to share additional information in the following Q&A, based on the questions raised during the webinar. The Log4j…
Read More
Your Log4shell Remediation Cookbook Using the JFrog Platform

Your Log4shell Remediation Cookbook Using the JFrog Platform

December 18, 2021 Asaf Cohen | 9 min read

UPDATED 1/14/2022: Added information on JFrog tool to patch Docker images in Artifactory repositories. Last week, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to…
Read More
Log4j Log4Shell 0-Day Vulnerability: All You Need To Know

Log4j Log4Shell 0-Day Vulnerability: All You Need To Know

December 28, 2021 Shachar Menashe, Or Peles, Ori Hollander | 27 min read

On Thursday, Dec 9th 2021, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th.…
Read More
Glide to JFrog DevSecOps with the New Experience

Glide to JFrog DevSecOps with the New Experience

December 13, 2021 Eyal Ben Moshe | 5 min read

We're excited to share with you that we have launched a completely new way to start using the JFrog DevOps Platform that you – as a developer – will love. We’ve provided a super-easy, developer-friendly path to discovering how Artifactory and Xray can help you produce safer apps, faster, getting started through the command line…
Read More
Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed

Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed

December 8, 2021 Andrey Polkovnychenko and Shachar Menashe | 13 min read

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach.…
Read More
Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique

Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique

November 18, 2021 Andrey Polkovnychenko and Shachar Menashe | 10 min read

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times. Today, we will share details about 11 new malware packages that…
Read More
TensorFlow Python Code Injection: More eval() Woes

TensorFlow Python Code Injection: More eval() Woes

November 16, 2021 Omer Kaspi and Shachar Menashe | 2 min read

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with TensorFlow, a popular Machine Learning platform that's widely used in the industry. The issue has been assigned to CVE-2021-41228. Read more about our previous, similar disclosure in Yamale in our previous blog post. The…
Read More

Popular Tags