A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j tool used in many Java-based applications was disclosed publicly on December 9, 2021. This vulnerability is also known as the Log4shell/Logjam vulnerability. When exploited, it can enable threat actors to take full control of affected systems. CVE-2021-44228 has been given the highest severity rating (10.0) by NIST.
Several days later, another vulnerability in Log4j (CVE-2021-45046) was identified that could be exploited even after taking recommended mitigation steps such as upgrading to Log4j 2.15 or adjusting environment variables. Apache quickly responded with version Log4j 2.16, and the race is now on as organizations around the world scramble to patch proprietary and commercially sourced Java applications as threat actors aggressively seek to exploit vulnerable apps en masse.
CyberRes continues to analyze this remote code execution vulnerability and is taking swift remediation action to help protect our customers, wherever possible.
We would like to announce that we have the following official resources available to support customers who are dealing with this issue:
- CyberRes landing page: Summary of CyberRes impact from Log4J or Logshell/LogJam (CVE-2021-44228)
- Micro Focus landing page: Micro Focus Statement on “Log4j” Vulnerabilities
Fortify’s Response
Fortify Software Composition Analysis (SCA) is powered by our long-standing partnership with Sonatype and goes beyond a single comparison of declared dependencies against the National Vulnerability Database (NVD) by using natural language processing to dynamically monitor every commit and vulnerability site. It is capable of detecting the use of vulnerable Log4j versions throughout your software portfolio so you can quickly assess risk and prioritize remediation efforts.
As our valued partner in this space, we want to highlight the fantastic resources Sonatype has put together around the Log4j vulnerability:
- Critical New 0-day Vulnerability in Popular Log4j Library Discovered blog
- Log4shell by the numbers article
- Scan your application for FREE for Log4j with Nexus Vulnerability Scanner
Get for more information on how Fortify’s Software Composition Analysis offerings can help you identify and remediate applications impacted by the log4j CVEs and establish a systematic program for open source software resiliency.
Update
Fortify has also created a new set of capabilities for Fortify WebInspect to detect out-of-band vulnerabilities and a new technique called OAST (Out-of-Band Application Security Testing).
Update 1/31/22
We’re pleased to share that Log4j 2.17.1 patches for SCA & Tools, SSC and ScanCentral are now available on the software download portal. Patches cover all supported versions – 20.1 through 21.2. Additionally, the SCA 21.2.3 patch adds support for Xcode 13.2.1 and Swift 5.5.2.
About Fortify
Fortify enables organizations to build software resilience for modern development from an AppSec partner you can trust. Fortify integrates into your existing development toolchain seamlessly, giving you the highest quality findings and remediation advice during every stage, creating more secure software. With Fortify, you don’t need to trade quality of results for speed.
Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below