TNS
VOXPOP
Will JavaScript type annotations kill TypeScript?
The creators of Svelte and Turbo 8 both dropped TS recently saying that "it's not worth it".
Yes: If JavaScript gets type annotations then there's no reason for TypeScript to exist.
0%
No: TypeScript remains the best language for structuring large enterprise applications.
0%
TBD: The existing user base and its corpensource owner means that TypeScript isn’t likely to reach EOL without a putting up a fight.
0%
I hope they both die. I mean, if you really need strong types in the browser then you could leverage WASM and use a real programming language.
0%
I don’t know and I don’t care.
0%
Open Source / Security / Software Development

How to Find Dangerous Log4j Libraries

The Apache log4j logging library has become the Covid-19 of technology. No sooner than we fix one version than another pops up to annoy, but first you have to find it.
Dec 23rd, 2021 6:46am by
Featued image for: How to Find Dangerous Log4j Libraries
Feature image by par ds_30 de Pixabay 

The Apache log4j logging library has become the COVID-19 of technology. No sooner than we fix one version than another pops up to annoy us. As of Dec. 21, the latest patched Log4j is version Log4j 2.17.0. If you have that installed in the right places, you’re good.

At this time, there are three separate Log4j security problems. CVE-2021-45046, the original, which scored the perfect 10, and CVE-2021-44228, its much less dangerous cousin. Together, these make up the Log4Shell vulnerability. In addition, there’s another separate log4j denial of service (DoS) attack, CVE-2021-45105.

Finding the Pesky Library

The trick, of course, is finding that pesky Apache logging library. Log4j is used everywhere on Earth… and Mars too. Yes, unpatched Log4j is on the Mars-based Ingenuity helicopter.

Security boffins have spent the last two weeks digging around trying to second guess the dependencies of every outsourced Java project IT has ever signed off. All too much of that code is hidden away in Java Archive Files (JARs).

As Josh Bressers, Anchore vice president of security explained, “One of the challenges the log4j vulnerability poses is actually finding it. Java applications and dependencies are usually in some sort of packaging format that makes the distribution and running really easy, but it can make figuring out what’s inside of those software packages difficult.”

You see, Bressers continued, “When working within Java, dependencies are cataloged as Java archive files, typically called JAR files. These are packages that can then be used as a Java library, but the issue here is that JAR files can start to look like Russian nesting dolls. A JAR file can contain JAR files, and those also contain JAR files. It’s basically JAR files all the way down.”

“All hope is not lost though!” concluded Bressers. You can use two Anchore open-source projects Syft and Grype, to detect and identify log4j, even if it’s buried in the third circle of JAR files.

Other Tools, Programs Available

There are other tools you can use to try to spot vulnerable versions of log4j. Some major security overview scanners now include tools for finding potentially vulnerable log4j libraries. These include: Cyber CNS, F-Security Elements, LionGuard, Microsoft Defender for Endpoint, Qualys Application Scanning, and Tanium.

There are also programs, almost all of which are open source, that can be used just to find log4j libraries.

In alphabetical order these are:

Good hunting! And may all your patches be made before the holidays.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: JFrog.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.