Google launches security fuzzer on Log4Shell bug in open source software


The remotely exploitable flaw in Log4j – the widely deployed Java error logging library – is under attack from multiple players and is likely to remain so for many months to come, as open source projects, product vendors, and user organizations end-users correct the affected systems.

Google is now adding OSS-Fuzz to the response pool for the Internet-wide Log4j vulnerability, also known as Log4Shell. The bug is tracked as CVE 2021-44228 and was partially fixed in the Apache Foundation release of Log4j version 2.15.0 last week.

OSS-Fuzz is Google’s free service for fuzzing open source software projects and is currently used by over 500 mission-critical projects. Fuzzing involves running random code at software to produce an error, such as a crash, and uncover potential security holes.

LOG4J Vulnerability Coverage – What You Need To Know Now:

To research Log4Shell’s weaknesses in new open source software, Google is teaming up with security firm Code Intelligence to provide continuous fuzz for Log4j.

Code Intelligence creates Jazzer, an open source fuzz engine that is now part of OSS-Fuzz, and has been modified to identify Log4j vulnerabilities in developing code. Google awarded $ 25,000 to Code Intelligence for its work on the Log4j fuzzing.

“Since Jazzer is part of OSS-Fuzz, all integrated open source projects written in Java and other JVM-based languages ​​are now continually researched for similar vulnerabilities,” Code Intelligence notes in a press release.

Jazzer is also able to detect remote JNDI searches – a strong sign that potential attackers are looking for the vulnerability on a network.

JNDI (Java Naming and Directory Interface) is an interface for connecting to directories of LDAP (Lightweight Directory Access Protocol) servers, and the flaw in Log4j is in its implementation of JNDI.

As Cisco’s Talos researchers explain, the flaw allows a remote attacker to use a simple LDAP request to trigger the vulnerability in versions prior to 2.15 of Log4j, then retrieve a payload from a server remote and run it locally on a vulnerable device.

Apache Foundation released version 2.16.0 of Log4j this week to fix a second related flaw originating from JNDI which is tracked as CVE 2021-45046. This flaw allowed an attacker to create data models in a JNDI message search and to paralyze a machine with a denial of service (DoS).

Log4j 2.16.0 disables access to JNDI by default and limits the default protocols to Java, LDAP, and LDAPS. Disabling JNDI was previously a manual step to mitigate attacks against the original vulnerability.

Most efforts are now focused on vendors updating Log4j in their products and end user organizations applying updates as they become available. For example, the United States Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies until December 24 to identify all applications affected by Log4Shell. Cisco, VMware, IBM and Oracle are busy developing fixes for their affected products.

LOG4J Vulnerability Coverage – How To Keep Your Business Safe:

Google’s OSS-Fuzz takes a different approach to Log4j, aimed at preventing developers from accidentally inserting the flaw into new software projects that could potentially be deployed in production environments.

“Vulnerabilities like Log4Shell are a revelation to the industry in terms of new attack vectors. With OSS-Fuzz and Jazzer, we can now detect this class of vulnerability so that they can be fixed before they become a problem in production code. says Jonathan Metzman of Google’s Open Source Security Team.


Comments are closed.