Open Source / Security / Software Development

How to Find Dangerous Log4j Libraries

23 Dec 2021 6:46am, by
fire truck par ds_30 de Pixabay

The Apache log4j logging library has become the COVID-19 of technology. No sooner than we fix one version than another pops up to annoy us. As of Dec. 21, the latest patched Log4j is version Log4j 2.17.0. If you have that installed in the right places, you’re good.

At this time, there are three separate Log4j security problems. CVE-2021-45046, the original, which scored the perfect 10, and CVE-2021-44228, its much less dangerous cousin. Together, these make up the Log4Shell vulnerability. In addition, there’s another separate log4j denial of service (DoS) attack, CVE-2021-45105.

Finding the Pesky Library

The trick, of course, is finding that pesky Apache logging library. Log4j is used everywhere on Earth… and Mars too. Yes, unpatched Log4j is on the Mars-based Ingenuity helicopter.

Security boffins have spent the last two weeks digging around trying to second guess the dependencies of every outsourced Java project IT has ever signed off. All too much of that code is hidden away in Java Archive Files (JARs).

As Josh Bressers, Anchore vice president of security explained, “One of the challenges the log4j vulnerability poses is actually finding it. Java applications and dependencies are usually in some sort of packaging format that makes the distribution and running really easy, but it can make figuring out what’s inside of those software packages difficult.”

You see, Bressers continued, “When working within Java, dependencies are cataloged as Java archive files, typically called JAR files. These are packages that can then be used as a Java library, but the issue here is that JAR files can start to look like Russian nesting dolls. A JAR file can contain JAR files, and those also contain JAR files. It’s basically JAR files all the way down.”

“All hope is not lost though!” concluded Bressers. You can use two Anchore open-source projects Syft and Grype, to detect and identify log4j, even if it’s buried in the third circle of JAR files.

Other Tools, Programs Available

There are other tools you can use to try to spot vulnerable versions of log4j. Some major security overview scanners now include tools for finding potentially vulnerable log4j libraries. These include: Cyber CNS, F-Security Elements, LionGuard, Microsoft Defender for Endpoint, Qualys Application Scanning, and Tanium.

There are also programs, almost all of which are open source, that can be used just to find log4j libraries.

In alphabetical order these are:

Good hunting! And may all your patches be made before the holidays.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: JFrog.

Feature image by par ds_30 de Pixabay