Approx read time: 3.3 mins
In light of the wave of security vulnerabilities and exploitation affecting Log4j, we here at Sonatype have been working to keep on top of the ever-evolving situation as the attacks mutate, and as new discoveries are made in other logging frameworks.
By now it’s becoming clear that the blast radius of Log4shell is titanic - and in our recent download analysis we discovered that 65% of traffic is still going to older, vulnerable versions of Log4j. The discovery of CVE-2021-44228 and yesterday of CVE-2021-45046 mean there is still a lot of work ahead of all software an open source developers.
To keep the community and our collective software supply chain safe, we are announcing free tools anyone developing free software can use. We’ve made the data available in the tools since Monday, December 13th, but wanted to highlight them again for increased visibility.
Open Source Maintainers: SBOMs and Enterprise-Grade Security for All Releases
One of the main pieces of advice to deal with the Log4j situation has been to use a Software Bill of Materials (SBOM) to understand where exactly vulnerable code sits and how it’s used.
As custodians for The Maven Central Repository, we maintain our commitment to keeping Maven Central safe. Earlier in the year, we announced enhanced security scanning for all publications to the Central Repository. This allows maintainers free access to generating SBOMs for all the releases they make available in Central.
When maintainers stage their artifacts for release, a security scan using our free Sonatype Lift tool is run and a report is provided back to them. We introduced this alert a few months ago to alert maintainers if their release contains any known vulnerabilities. We’ve now added highlighting inclusions of problematic versions of Log4j across their deployment.
Caption: Example notification sent to staged artifacts in Central
All maintainers have access to an up-to-date Software Bill of Materials of their release, and can use the interface to access Open Intelligence on any security issues discovered. We’ve also implemented an urgent warning to drive attention to the presence of any affected Log4j versions, pictured below.
Caption: An example warning message on Sonatype Lift
We’re firm believers that keeping open source maintainers informed of possible vulnerabilities in their code helps improve the quality of Open Source at large. More information about the new features available for all maintainers can be found in the Central Documentation portal.
Developers: Free Pull Request Protection for Log4j in Github with Sonatype Lift
In software engineering, there is an accepted wisdom that the earlier you find bugs, the easier they are to fix. The same thing applies to security vulnerabilities: discovering them earlier in the process means they are easier to fix and avoid. This is why we have committed to providing our enterprise-grade tool Sonatype Lift free of charge for any public project on Github, delivering automated suggestions to help mitigate any issues raised in PRs.
Lift monitors all the Pull Requests your team opens, and intelligently comments on them for any potential security issues or other types of bugs using over 20 best-of-breed analyzers.
It can identify someone attempting to change pom.xml or gradlefile dependency references to any vulnerable versions.
Lift not only keeps you safe in your direct dependency upgrades, it also resolves your transitive dependencies and gives you intelligence about any unsafe includes of Log4j in your transitive dependency tree.
Caption: Example transitive dependencies notice
Lift is available today for install from the Github Marketplace.
Free Security Intelligence: Open Source Intelligence for Log4j
Finally, we have made the decision to open source our enterprise-grade Nexus Intelligence on CVE-2021-44228 and CVE-2021-45046 and make it freely accessible through our free, online intelligence platform, OSSIndex.
Caption: Screenshot of the OSSIndex page on CWE-502
It’s also available to all tools powered by OSSIndex, including OWASP Dependency Checker. This gives teams the best possible chance to find, triage, and mitigate CVE-2021-44228. Our commitment is to help the open source security community have the most accurate data available for the continued fire fight.
Clearing the Log4j Shadow
As long-standing members of the open source community, we understand how detrimental leaving this vulnerability unchecked could be for the world.
The responsibility to keep the community safe lies with all of us. We are contributing free tools to the effort we know you need to be powerful in your fight against Log4j and the imminent attacks the future will bring.
Add Sonatype Lift to your repository today, and stay up to date on Log4j and other vulnerability disclosures with the Sonatype blog.