Log4j's fault hunt demonstrates the complexity of the software supply chain
Open source software is everywhere now, but the Log4j flaw that affects Java enterprise applications is a reminder of what could go wrong in the modern software supply chain complex.
The challenge with Log4j's fault (also known as Log4Shell) is that not only do administrators have to maintain the flaw - which received a 'critical' rating of 10 out of 10 - but IT people can't access it easily determine if it is a product. or a system affected by the vulnerability of the component.
Google has calculated that approximately 17,000 Java packages in the Maven Central repository - the most important Java package repository - have found the vulnerable log4j-core library to be a direct or transient dependency.
And now the security company JFrog has found more by identifying additional folders containing Log4j vulnerabilities that would not be detected by dependency scanning - that is, packages containing Log4j code so- injured within the artifact itself.
Overall, he discovered that just importing Log4j code into arrays is not as common as using Log4j through dependencies. However, it still uploads hundreds of folders - around 400 - that contain Log4j code directly, opening those folders to Log4j vulnerabilities.
In more than half of the cases (~ 65%), Log4j code is included as direct classes (ie direct inclusion / shading), as opposed to importing whole files Log4j .jar (ie fat jar), which is usually as it is. These numbers indicate that devices that only look for complete .jar files will miss most of the cases where Log4j is directly installed, "he said. .
The beast is a reminder of why Microsoft and Google are plowing dollars into projects that support the security of open source software projects, which are the backbone of today's internet infrastructure. today. Previous research shows that most software flaws are found in software or dependency libraries.
The severity of the beast means that administrators could be well served by scanning all possible Java applications that include Log4j code. Microsoft has released scanning tools to detect vulnerable WINdows and Linux systems, applications and tools, and JFrog offers one alternative.
JFrog emphasizes that its scanning reaches the add-on code because only a version of the software library is present.
“The reason for scanning the full dependency list may be to miss out on instances of imported Log4j code because dependency only specifies external folders. needed to build or run the custom artifact. If the vulnerable code is inserted directly into the source code, it is not a dependency. So, for a more detailed search of the vulnerable Log4j code, we need to examine the code itself, "the company notes in a blog post.
The research demonstrates the vulnerability of modern IT systems to attacks on the software supply chain.
The importance of the Java programming language cannot be overemphasized. It remains one of the most widely used languages in the world and is an enterprise language, incorporating its ecosystem projects such as Microsoft's implementation of OpenJDK. Microsoft uses Java in Azure, SQL Server, Yammer, Minecraft, and LinkedIn.