JFrog Took Security to New Heights in 2021

With security now a critical “must have” for DevOps teams, JFrog significantly deepened and extended our platform’s already solid security capabilities in 2021. In this post, we’ll look back at our major advances last year – and look forward at what’s to come in 2022.  Our goal: To explain how we’re providing to our customers …

2022 Trends - Shlomi Ben Haim

DevOps 2022: 5 Big Rocks to Harness the Software Supply Chain

Together with the community, JFrog pioneered what we now know as DevOps with a focus on binaries (aka software packages, artifacts or images). A decade ago, no one thought binary management would be a thing — now it’s a standard most companies can’t live without. Back then, we said software universality would be necessary, and …

Log4j in the Wild

Catching Log4j in the Wild: Find, Fix and Fortify

At many organizations, the surprise discovery that the widely used Apache log4j open source software has harbored a longtime critical vulnerability was as if Scrooge and the Grinch had teamed up for the biggest holiday heist of all. Incident response teams across the globe have scrambled to remediate thousands, if not millions of applications. “For …

Log4shell Vulnerability Explained

Log4j Log4Shell 0-Day Vulnerability: All You Need To Know

On Thursday, Dec 9th 2021, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. …

Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach. …

Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times. Today, we will share details about 11 new malware packages that …

TensorFlow Python code injection 203x148

TensorFlow Python Code Injection: More eval() Woes

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with TensorFlow, a popular Machine Learning platform that’s widely used in the industry. The issue has been assigned to CVE-2021-41228. Read more about our previous, similar disclosure in Yamale in our previous blog post. The …

Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog

Background Embedded devices with limited memory and storage resources are likely to leverage a tool such as BusyBox, which is marketed as the Swiss Army Knife of embedded Linux. BusyBox is a software suite of many useful Unix utilities, known as applets, that are packaged as a single executable file. Within BusyBox you can find …

Denial of Service (DoS) in Netty’s Decompressors

CVE-2021-37136 & CVE-2021-37137 – Denial of Service (DoS) in Netty’s Decompressors

Background The JFrog Security research team has recently disclosed two denial of service issues (CVE-2021-37136, CVE-2021-37137) in Netty, a popular client/server framework which enables quick and easy development of network applications such as protocol servers and clients. In this post we will elaborate on one of the issues – CVE-2021-37136. Who is actually impacted? Netty …

Don’t let Prometheus Steal your Fire

Don’t let Prometheus Steal your Fire

Background Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system’s state in addition to observation of hardware and software metrics such as memory …