![]() Again, you’re going to need to use multiple scanners in your security-hole hunt.įor example, Rezilion found that while tools can detect vulnerable Log4j instances in multiple Java binaries types with a range of file extensions, sometimes the names are the ones we’re searching for. ![]() While Rezilion didn’t look at all the scanners I’ve mentioned in How to Find Dangerous Log4j Libraries, it’s a safe bet that none of them can find all the troubled lib4j libraries either. Your only choice is to use multiple scanners. There is no single scanner that can spot examples of the problem code. Some scanners did better than others, but none was able to detect all formats.” All formats are commonly used by developers and IT teams. So, as Rezilion Vulnerability Research Lead Yotam Perkal explained, “In order to estimate how big the industry’s current blindspot is Rezilion’s vulnerability research team conducted a survey where multiple open source and commercial scanning tools were assessed against a dataset of packaged Java files where Log4j was nested and packaged in various formats. It’s a real nightmare digging up the suspect code. Salting the wound Java code can be buried many levels down in these formats. Adding insult to injury, log4j can be packaged in many different formats such as Java Archive Files (JARs), Tape Archive (TAR), Web Application Archive (WAR), Enterprise Application Archive (EAR) Service Application Archive (SAR), and on and on. A simple shallow search for it can miss it entirely. The problem with detecting Log4Shell within packaged software in production environments is that Java code can be nested a few layers deep into other files. The bad news is, Rezilion, a programming security company, has found that no single scanning tool can find all the security-compromised programs. The good news is there are scanning tools that can find those vulnerable libraries before they go bang. A day, an hour, doesn’t go by without new exploits blowing up. Thanks to the Apache Java logging library log4j‘s popularity and its ability to hide in code, we have landmines hiding in our infrastructure due to log4j’s Log4Shell security vulnerabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |