JFrog Log4j vulnerability
resources at your fingertips

Log4J & Log4Shell Resources

Log4j Log4Shell 0-Day Vulnerability - All You Need To Know

All You Need To Know

The Log4j & Log4shell vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. MITRE assigned CVE-2021-44228 to this vulnerability, which has since been dubbed Log4Shell by security researchers. Understand Log4j Log4Shell exploitation vectors, learn exactly what’s vulnerable, and discover remediations about this zero-day vulnerability.

Log4shell Remediation Cookbook Using the JFrog Platform

Remediation Cookbook

In this technical blog post, we will address the detection, blocking, and remediation options you can take to protect your organization using the JFrog platform and you will learn how to detect, block, and remediate to protect your organization from the log4j vulnerability using JFrog Artifactory and Xray.

Log4j Detection with JFrog OSS Log4shell Scanning Tools

Free OSS Scanning Tools

While it’s hard to draw general lessons from this Log4j extreme scenario, it provides an opportunity to gauge our existing software development, testing, and release methodologies, and consider what can be done differently in the future to prevent this scenario. JFrog Log4j free OSS scanning tools allow you to detect Log4Shell vulnerabilities by scanning code on a deeper level, finding vulnerable packages that other scanning tools miss.

Log4j Log4Shell Vulnerability Explained - All You Need To Know

Log4j - What Happened?

Join JFrog’s Senior Director Security Research, Shachar Menashe as he discusses the following Log4j and Log4shell topics:
– What is the Log4Shell vulnerability in Log4j and why is it so critical?
– Under what conditions can the vulnerability be exploited?
– Mitigation options, including available solutions when a software upgrade is not feasible
– How to efficiently detect the Log4Shell vulnerability in your software artifacts using JFrog Xray

Log4j Log4shell survival guide - Download


Looking for a simplified explanation for all of the Log4j vulnerabilities discovered and what you need to do?. This handy survival guide gives you all the essentials you need to know about the latest findings on Log4j vulnerability risks, all of the mitigations and any known bypasses.

Use this survival guide for the most accurate and concise remediation information on the vulnerability in all its forms.

Log4j Log4shell vulnerability Questions and Answers

Log4j Log4Shell Q&A

In our recent webinar, Log4j Log4Shell Vulnerability Explained: All You Need To Know, our  Senior Director Security Research expert Shachar Menashe shared information on the security issue and how to detect and remediate it.

We are happy to share additional information in the following Q&A, based on the questions raised during the webinar.

Log4j vulnerabilities detected in Maven Central packages

Exposed Maven Packages

In our recent blog post: “Log4j Detection with JFrog OSS Scanning Tools” we outlined the approach we implemented to improve Log4j vulnerability detection by scanning beyond package dependencies. The following are new findings gathered while using our new OSS tools to scan Java packages in the Maven Central repository.

JNDI - Unauthenticated RCE in H2 Database Console

JNDI Strikes Back

Very recently, the JFrog security research team disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading). Read more about this new disclosure…