Open source tools enable developers to quickly localize the threat and implement remedial measures quickly.
JFrog has released free scanning tools specially made for developers to detect the presence and usage of the Apache Log4j vulnerability in both source code and binary files. The new tools perform special scans to identify direct or indirect (transitive) dependencies as well as cases in which Log4j does not appear as a separate file, but is bundled in a larger software package and is, therefore, more difficult to discover. The new tools are command line-based and can therefore be easily integrated into developers’ existing environments, and their open core ensures that the functions can be further developed over time by changing requirements.
“The Log4j vulnerability has seriously affected the software landscape in companies as it is widely used as a component in the entire software supply chain, making it difficult to locate and fix quickly,” said Asaf Karas, CTO of JFrog Security Research. “In times of crisis, open-source tools that scan both binaries and source code enable collaboration and community input to collectively solve immediate and long-term security problems, which is why we are proud to release these tools today.”
Industry research shows that almost half of all companies worldwide are already affected by the Log4j vulnerability and the number of incidents is increasing every day. Government officials from Germany, Austria, Canada, New Zealand, the UK, and the US have also sounded the alarm, recommending companies and software providers alike to take immediate action.
The Log4j vulnerability was originally discovered on November 24th by the Alibaba cloud security team and reported to Apache. MITER assigned CVE-2021-44228 to this vulnerability, which has since been referred to as Log4Shell by security researchers. JFrog’s Security Research Team has detailed the currently known Log4j vulnerabilities and outlined best practices for identifying and fixing them in a blog that is continuously updated.
The four new tools are now available for download from GitHub in Java and Python.