Log4j is a library that is used by many Java applications. The challenge here is finding Log4j because of the way Java packaging works. In the Java ecosystem, dependencies are distributed as Java archive JAR files, which are packages that can be used as a Java library. In some situations, one dependency pulls in hundreds of other dependencies making it even more difficult to find. This creates many layers that all need to be investigated. There are two open source tools led by Anchore that have the ability to scan a large number of packaged dependency formats, identify their existence, and report if they contain vulnerabilities.
Both of these tools are able to inspect multiple nested layers of JAR archives to uncover and identify versions of Log4j. Syft is also able to discern which version of Log4j a Java application contains.
The Log4j JAR can be directly included in our project, or it can be hidden away in one of the dependencies we include. For example, using Syft to scan this sample Java project shows that it includes Log4j version 2.
Regardless of the version of Log4j that is included, there is value in generating and storing an SBOM to keep a record of everything that is included in any software component or application you deliver. Grype is a scanner that has the ability to tell us which specific vulnerabilities our software contains.
When you include a dependency in your application you can also identify the vulnerabilities that the dependency contains, and so on through multiple levels of nesting. This allows you to re-scan the SBOM for new vulnerabilities even after the software has been deployed or delivered to customers. Scanning the same sample Java project with Grype finds the Log4j vulnerability and identifies it as a critical severity. Syft and Grype have the ability to scan your applications no matter where they reside.
You can scan a directory on disk, scan a container image locally, or even scan a container in a remote registry. Even scanning after deployment is a good idea. Any time a new zero-day vulnerability is discovered, it can be difficult and challenging for impacted organizations to remediate the problem quickly.
The first and most important step is to understand if a particular vulnerability even affects you, and in the case of JAR files it can be a challenge to understand this without tooling. As an industry, how we react and support each other during zero-day vulnerabilities is critical. Viewed 6k times. Can someone help me on these points below: 1 - Where do we define the j2ee version? SikanderAhmed SikanderAhmed 1 1 gold badge 5 5 silver badges 14 14 bronze badges. Add a comment. Active Oldest Votes.
Peter Wroblewski Peter Wroblewski 1 1 silver badge 5 5 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown.
The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Linked 8. Related
0コメント