Apache Log4j 2 reports high-risk vulnerabilities, and CODING joins forces with Tencent to protect software security

Introduction

On the evening of December 9, Apache Log4j 2 discovered a remote code execution vulnerability. Malicious users can use this vulnerability to execute arbitrary code on the target server, which is extremely harmful.

Tencent Security included the vulnerability in the Tencent Security Vulnerability Feature Library . The coding product scan was based on the vulnerability feature library. 161b9bcad60f00 accurately located the Log4j 2 product that cited the affected version and gave repair suggestions . At the same time It is possible to prohibit downloading products containing the security loopholes to minimize the spread of loopholes.

Apache Log4j 2 vulnerability details

Apache Log4j 2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces rich features. As a basic third-party library for logging, it is used by a large number of Java frameworks and applications.

This vulnerability is caused by the lookup function provided by Log4j 2, which allows developers to read the configuration in the corresponding environment through some protocols. However, in the implementation process, the input was not strictly judged, which caused the vulnerability to occur. When the program logs the data input by the user, the vulnerability can be triggered.

vulnerability details:

Log4j 2 is widely used and may be affected applications and components (including but not limited to): Apache Solr, Apache Flink, Apache Druid, Apache Struts2, Srping-boot-strater-log4j2, ElasticSearch, Flume, Dubbo, Redis, Logstash , Kafka.

Use CODING product scanning to quickly identify affected products

Coding product scanning has identified the vulnerability, and the product management-product scanning module can create a "security vulnerability scanning plan" to perform security scans on related Maven packages. The vulnerability can be checked directly in the online version of CODING DevOps. For privatized CODING DevOps and WePack customers, please contact the account manager for upgrade.

After the scan, you can see the latest Chinese vulnerability information. The risk level of this vulnerability is defined as "critical" by Tencent Security. At the same time, the vulnerability is widely used and has a low threshold of exploitation. It is marked as "Priority Concern Vulnerability". In the vulnerability details, we recommend that users fix it to "2.15.0-" as soon as possible. rc2" version, after this dependency is upgraded, the impact of the vulnerability can be avoided.

At the same time, the control method of "prohibiting downloading products that fail the quality red line" can be adopted to avoid this risk from being introduced by future product updates.

How to fix vulnerabilities

Upgrade all related applications of ApacheLog4j to the latest Log4j-2.15.0-rc2 version.

(Version 2.15.0-rc1, verified by Tencent security experts can be bypassed)

patch download
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

vulnerability mitigation measures:

1. jvm parameter-Dlog4j2.formatMsgNoLookups=true
2. log4j2.formatMsgNoLookups=True

Repackage after obtaining the patch, upload the dependent jar package to the CODING product warehouse, modify the product dependency configuration, and push the new version.

After rescanning, you can see that the product has passed the scan.

Join forces to protect customer software security

CODING works hand in hand with Tencent Security, its Keen Laboratory and Yunding Laboratory to jointly protect customer software security.

Trusted vulnerability signature database

"Tencent security open source component vulnerability signature database" is a vulnerability signature database built by Tencent based on its own security research and general open source vulnerability database information at home and abroad. It is continuously operated by a professional security team to provide users with accurate, timely and easy-to-understand security information.

Perfect process control

In the software production process, the products entering the CODING product library will be supervised by the CODING product scanning capability. CODING will perform dependency analysis on the product, analyze the open source components referenced by the product, and then use the "Tencent Security Open Source Component Vulnerability Feature Library" to identify the vulnerabilities of the open source components referenced by the product , output a vulnerability report, and pass the preset quality red line Judge the passing status of the product scan and display the product details.

At the same time, Tencent security experts screen out the vulnerabilities that need priority attention based on the static threat level of vulnerabilities (CVSS) and dynamic risk level (whether the vulnerabilities are currently publicly used in POC), and give priority tips in the scan results to assist customers in dealing with critical issues first.

Continuous risk product management

The product scanning scheme can be set to prohibit downloading products that have not passed the security scan, so as to prevent products with potential safety hazards from being quoted or released by team members, and to achieve continuous management and control of the risk of vulnerabilities.

At the time when vulnerabilities and data security issues frequently occur, in order to provide customers with a more reliable service experience, CODING has been investing in the software development process to improve efficiency, while also continuously paying attention to the safety of the software development process and software assets, and is committed to providing business users with A more efficient, more reliable, and safer R&D workflow on the cloud.

In the future, CODING will also continue to focus on the safety of software production, maintain close cooperation with Tencent’s security team, provide more accurate dependency analysis capabilities and license scanning capabilities in the work-in-progress management link, assist customers in comprehensively building DevSecOps capabilities, and shift security management and control to the left , Reduce the risk of software production.

Contact a CODING consultant to obtain the DevSecOps solution