As a result of Log4Shell’s popularity and easy exploitability, its potentially severe impact is tremendous. What has emerged is not just how mainstream it is, but how deeply woven it is into the software we use, and how difficult it is to detect.
Because it is common across open source and third-party applications, it is likely used by many applications in your codebase, as is often the case with open source dependencies. In production environments, detecting Log4Shell is more difficult because Java files (such as Log4j) are sometimes buried several levels deep, making it difficult to find with a quick search. Additionally, Java packages can come in various formats, making it difficult to dig them out of other Java packages.
Log4j is embedded in dependencies on flawed code, either directly or indirectly, up and down the supply chain. Most of the affected artifacts come from indirect dependencies; those dependencies are used directly by your project. Meaning Log4j is not explicitly defined as a dependency of the artifact but gets pulled in as a transitive dependency.
It can be packaged in many different formats such as Java Archive Files (JARs), Tape Archive (TAR), Web Application Archive (WAR), Enterprise Application Archive (EAR), Service Application Archive (SAR), etc. Java code can be buried as many as nine levels deep in these formats.
Keeping current with Log4j dependencies and new exploits is a complex and ongoing challenge. Organizations struggle to find the proverbial needle in hundreds of haystacks in a constantly changing environment. Then there is the issue of finding the right security tool to use across numerous applications and networks.
Threatrix scanning agent, as part of our open source security and compliance solution, automatically finds open source vulnerabilities during software development thanks to our True Match technology, allowing your developers to focus on what’s essential, coding. True Match gives us the unique ability to detect log4j in your projects, direct and transitive dependencies, as source code from a forked or downloaded project, or embedded directly into your source code. Threatrix provides extreme fidelity even in cases where developers have changed the file, class, method, or variable names.
We’re working closely with our customers to help them detect log4j in these difficult-to-discover use cases.
Threatrix Supply Chain Security platform enables security teams to fix what they can’t see and legal teams to discover what they don’t know.
Original research provided by Rezillion and Log4j Scanner Blindspots