![]() Over the next year we will work on better automated detection of non-memory corruption vulnerabilities such as Log4Shell. We want to empower open source developers to secure their code on their own. One of our capabilities in this space is OSS-Fuzz, a free fuzzing service that is used by over 500 critical open source projects and has found more than 7,000 vulnerabilities in its lifetime. Our mission as the Google Open Source Security Team is to secure the open source libraries the world depends on, such as Log4j. Similar to shellshock and heartbleed, Log4Shell is just the latest catastrophic vulnerability in software that runs the internet. The discovery of the Log4Shell vulnerability has set the internet on fire. (This approach is not without its drawbacks pulling in new fixes can also pull in new problems.) Consumers can get a patched version on the next build after the patch is available, which propagates up the dependencies quickly. Open ranges allow the resolution algorithm to select the most recently released version that satisfies dependency requirements, thereby pulling in new fixes. ![]() This practice is in contrast to other ecosystems, such as npm, where it’s common for developers to specify open ranges for dependency requirements. Propagating a fix often requires explicit action by the maintainers to update the dependency requirements to a patched version. In the Java ecosystem, it’s common practice to specify “ soft” version requirements - exact versions that are used by the resolution algorithm if no other version of the same package appears earlier in the dependency graph. This exploitable feature was enabled by default in many versions of the library.Īnother difficulty is caused by ecosystem-level choices in the dependency resolution algorithm and requirement specification conventions. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities ( 1, 2), with widespread fallout across the software industry. The linked list, which continues to be updated, only includes packages which depend on log4j-core. 25% of affected packages have fixed versions available. The ecosystem impact numbers for just log4j-core, as of 19th December are over 17,000 packages affected, which is roughly 4% of the ecosystem. Since then, the CVE has been updated with the clarification that only log4j-core is affected. The below numbers were calculated based on both log4j-core and log4j-api, as both were listed on the CVE. We will continue to update this advisory with the latest information. YouTube is not using versions of Log4j affected by the vulnerability. This includes Display & Video 360, Search Ads 360, Google Ads, Analytics (360 and free), Optimize 360, Surveys 360 & Tag Manager 360. Google Marketing Platform, including Google Ads is not using versions of Log4j affected by the vulnerability. Google Cloud has a specific advisory dedicated to updating customers on the status of GCP and Workspace products and services. At this time, no update is required for this specific vulnerability, but we encourage our customers to ensure that the latest security updates are applied to their devices.Ĭhrome OS releases and infrastructure are not using versions of Log4j affected by the vulnerability.Ĭhrome Browser releases, infrastructure and admin console are not using versions of Log4j affected by the vulnerability. We encourage anyone who manages environments containing Log4j 2 to update to the latest version.īased on findings in our ongoing investigations, here is our list of product and service updates as of December 17th ( CVE-2021-44228 & CVE-2021-45046):Īndroid is not aware of any impact to the Android Platform or Enterprise. ![]() Our security teams are investigating any potential impact on Google products and services and are focused on protecting our users and customers. Like many other companies, we’re closely following the multiple CVEs regarding Apache Log4j 2.
0 Comments
Leave a Reply. |