Helping The Open Source Community Find, Fix, and Remediate Log4j

Approx read time: 3.3 mins

In light of the wave of security vulnerabilities and exploitation affecting Log4j, we here at Sonatype have been working to keep on top of the ever-evolving situation as the attacks mutate, and as new discoveries are made in other logging frameworks.

By now it’s becoming clear that the blast radius of Log4shell is titanic – and in our recent download analysis we discovered that 65% of traffic is still going to older, vulnerable versions of Log4j. The discovery of CVE-2021-44228 and yesterday of CVE-2021-45046 mean there is still a lot of work ahead of all software an open source developers.

To keep the community and our collective software supply chain safe, we are announcing free tools anyone developing free software can use. We’ve made the data available in the tools since Monday, December 13th, but wanted to highlight them again for increased visibility.

Open Source Maintainers: SBOMs and Enterprise-Grade Security for All Releases

One of the main pieces of advice to deal with the Log4j situation has been to use a Software Bill of Materials (SBOM) to understand where exactly vulnerable code sits and how it’s used.

As custodians for The Maven Central Repository, we maintain our commitment to keeping Maven Central safe. Earlier in the year, we announced enhanced security scanning for all publications to the Central Repository. This allows maintainers free access to generating SBOMs for all the releases they make available in Central.

When maintainers stage their artifacts for release, a security scan using our free Sonatype Lift tool is run and a report is provided back to them. We introduced this alert a few months ago to alert maintainers if their release contains any known vulnerabilities. We’ve now added highlighting inclusions of problematic versions of Log4j across their deployment.

(Read more...)