Skip to content

Log4j still an issue, but CodeSec audit can help

    
Log4j still an issue, but CodeSec audit can help

Landing on the incident response boards for software engineering teams worldwide in December 2021, the Log4j vulnerabilities in Java software remain a real concern for developers more than 9 months later.

Apache Log4j is a popular logging library in the Java software development community.  Late last year, researchers discovered that it had vulnerabilities which made it susceptible to an attack that forced  software to execute malicious code.  Later versions of the Log4j tools fixed these problems, but many people are still using the vulnerable software.

Microsoft Security recently reported that users of out-of-date versions of the SysAid IT management products suffered a cyberattack because of the Log4j vulnerabilities.  According to the report, malicious actors associated with the Iranian Ministry of Intelligence and Security were able to exploit the Log4j vulnerabilities to attack organizations located in Israel.  The Iranian actors were then able to gain administrator access on the Israeli machines and run commands locally. Israel and Iran have an ongoing, state-level conflict, and the Log4j vulnerabilities were the avenue used in this particular cyberattack.

Even though geopolitics is often a distant afterthought in engineering design discussions, this cyberattack should be a flashing neon warning sign for software engineers and publishers.  The threat of cyberattacks that exploit the Log4j weaknesses definitely still exists and potentially wide scale.

CodeSec by Contrast offers an easy and free first step for remediating critical Log4j vulnerabilities in your projects.  CodeSec recently introduced Software Composition Analysis (SCA) with its contrast audit command.  SCA examines the third-party libraries that your project uses for cybersecurity vulnerabilities.  In previous articles, we looked at how to use CodeSec to find Log4j vulnerabilities in your Java project and how to integrate CodeSec into your Git workflows to automatically scan for problems in your commits.

CodeSec is just the start of how Contrast Security can help your organization find and fix Log4j vulnerabilities.  We have an extensive, dedicated portal for Log4j where you can find webinars, whitepapers and information about Contrast Security’s entire Secure Code Platform.

Jacob Mages-Haskins, Staff Software Engineer, Contrast Security

Jacob Mages-Haskins, Staff Software Engineer, Contrast Security

Jacob is a software engineer with decades of experience. He lives in New England with his family and enjoys reading, gardening and the outdoors.