JFrog releases Tools to Identify Log4j Utilization

Automation solutions provider for building, testing, and deploying software, Jfrog, has released four new tools aimed at developers to detect the presence and utilisation of Apache Log4j in source code and binaries. Log4j is a Java-based logging utility which acts as a journal to log what happens in software applications and online services. 

The four tools are available for download on GitHub for Java and Phython. 

“In times of crisis open-source tools that scan both binaries and source code allow community collaboration and contributions to collectively solve immediate and long-term security issues, which is why we’re proud to release these tools today,” said Asaf Karas, CTO of JFrog Security Research.  

Also read: ‘Log4j flaw can potentially affect 3 out of 10 websites across globe’

The tools are expected to help companies perform specialised scans to identify direct or indirect dependencies, as well as include instances where Log4j doesn’t appear as a separate file, but can be bundled inside a software package which is larger, hence making it harder to detect.   

The new tools will be command line-based for easy integration with the existing environments of developers. Jfrog said that their open-core will help ensure capabilities will continue to evolve over time.   

“The Log4j vulnerability has set the enterprise software landscape on fire due to its widespread usage as a component across the software supply chain, making it difficult to rapidly pinpoint and remediate,” added Karas. 

Earlier this week, Cybersecurity Company CheckPoint revealed that a vulnerablity called Log4Shell, detected last week in Apache Log4J, was exploited by attackers to target companies globally, including India. Checkpoint claimed that 41% of corporate networks in India had already faced an attempted exploit.   

Government officials in Austria, Canada, New Zealand, the UK, and the US sounded alarms over the vulnerability, and urged enterprises to take immediate action.   

The Log4j vulnerability was originally discovered and reported by Alibaba Cloud’s security team on November 24.