A bug in the Log4j library can allow an attacker to execute arbitrary code on systems that use Log4j to write logs.
Log4j is an old-timer open-source library used by many software developers and built-in into many Java-based platforms. A common scenario would be to log write the user-agent HTTP header to the log. However, it can be any part of the HTTP request, not only the HTTP protocol.
This security vulnerability affects many applications, some of which you can find in any organization (e.g., VMWare, AWS, Google, and many more). However, some may be unique and specific to your organization alone.
The challenge is finding Log4j because of the way Java packaging works. It's possible you have Log4j hiding somewhere in your application and don’t even know about it.
Test if your applications are vulnerable to Log4j
Why is it a challenge to address Log4j?
The Java ecosystem distributes dependencies as Java archive (JAR) files. These files are packages that one can use as a Java library. For example, you can have a JAR nested in a JAR.
This situation creates many layers that all need to be investigated. Just looking at the JARs your project draws directly may not be enough, since Log4j could be hiding inside another JAR file!
How Komodo Consulting addresses
Log4j vulnerabilities
Komodo Consulting scans many nested JAR files layers, identify their existence, their version, and report which vulnerabilities your software contains.
We can scan your applications no matter where they reside:
Scan a directory on disk
Scan a container image locally
Scan a container in a remote registry
We recommend scanning source code before or after building the final application. It’s important to scan your applications during every stage of development. A clean source code scan doesn't mean the final build will be. Even scanning after deployment is a good idea. Maybe you didn’t pick up a critical Log4j vulnerability last week, but this week you might!
Why Us?
Komodo Consulting is a high-end cyber security firm that specializing in Third-Party Cyber Risk Assessment, Application Security, Black-Box Penetration Testing, Red-Team Exercises, serving Fortune 500 companies in Israel, Europe, and the US.
Founded by leading consulting experts with decades of experience, the team includes seasoned security specialists with worldwide information security experience and military intelligence experts.
Trusted by the World's Best Companies
We've been working with Komodo, our trusted advisers on application security and penetration testing, for over six years now. They consistently provide us with invaluable insights, briefings, and value. I wholeheartedly recommend them to any company needing first-class application and cyber security services.
Amir Levi, CTO, Harel Insurance
What Our Clients Say
Working with Komodo Consulting has always been a streamlined, efficient process. Results are always to the point and right on time, accompanied by valuable insights and advice.
Eldan Ben-Haim, CTO, Trusteer (IBM)
Test if your applications are vulnerable to Log4j