The Log4j & Log4shell vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. MITRE assigned CVE-2021-44228 to this vulnerability, which has since been dubbed Log4Shell by security researchers. Understand Log4j Log4Shell exploitation vectors, learn exactly what’s vulnerable, and discover remediations about this zero-day vulnerability.
In this technical blog post, we will address the detection, blocking, and remediation options you can take to protect your organization using the JFrog platform and you will learn how to detect, block, and remediate to protect your organization from the log4j vulnerability using JFrog Artifactory and Xray.
While it’s hard to draw general lessons from this Log4j extreme scenario, it provides an opportunity to gauge our existing software development, testing, and release methodologies, and consider what can be done differently in the future to prevent this scenario. JFrog Log4j free OSS scanning tools allow you to detect Log4Shell vulnerabilities by scanning code on a deeper level, finding vulnerable packages that other scanning tools miss.
Join JFrog’s Senior Director Security Research, Shachar Menashe as he discusses the following Log4j and Log4shell topics:
– What is the Log4Shell vulnerability in Log4j and why is it so critical?
– Under what conditions can the vulnerability be exploited?
– Mitigation options, including available solutions when a software upgrade is not feasible
– How to efficiently detect the Log4Shell vulnerability in your software artifacts using JFrog Xray
Looking for a simplified explanation for all of the Log4j vulnerabilities discovered and what you need to do?. This handy survival guide gives you all the essentials you need to know about the latest findings on Log4j vulnerability risks, all of the mitigations and any known bypasses.
Use this survival guide for the most accurate and concise remediation information on the vulnerability in all its forms.
In our recent webinar, Log4j Log4Shell Vulnerability Explained: All You Need To Know, our Senior Director Security Research expert Shachar Menashe shared information on the security issue and how to detect and remediate it.
We are happy to share additional information in the following Q&A, based on the questions raised during the webinar.
In our recent blog post: “Log4j Detection with JFrog OSS Scanning Tools” we outlined the approach we implemented to improve Log4j vulnerability detection by scanning beyond package dependencies. The following are new findings gathered while using our new OSS tools to scan Java packages in the Maven Central repository.
Very recently, the JFrog security research team disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading). Read more about this new disclosure…