Apache Log4j2 Remote code Execution vulnerability (CNVD-2021-95914) is a Java-based logging tool that is an upgrade to Log4j. As one of the best Java logging frameworks available, it is widely used in business system development.

Vulnerability information

As early as November 24, 2021, Alibaba Cloud security team reported this vulnerability. In order to help people quickly identify the vulnerability and avoid potential attacks, the cloud effect technology team provided a solution to this vulnerability.

Source level scanning, the risk will be killed in time

Codeup, the cloud effect code management platform of Aliyun, supports real-time scanning of dependent package risks at the source level, and provides a vulnerability repair plan, which can automatically scan and quickly report vulnerabilities for the enterprise code base to avoid possible risk omission caused by manual visual inspection.

Log4j has been identified as a Blocker level vulnerability and is strongly recommended to be updated as soon as possible:

How to Use detection

The code base administrator enters the warehouse Settings – Integration and Services to enable “Dependency Package Vulnerability Detection”, please note that the Java code needs to check “Set Java Detection parameters” :

After this function is enabled, the default branch will automatically start to perform detection. After the detection is completed, you can view the detection details of branch code. The detection report provides vulnerability description and repair scheme suggestions:

As the vulnerability library is updated in real time, code libraries that have been scanned in history need to be actively switched on or submitted to trigger the execution of a latest scan.

How to fix bugs

Change the dependent versions of Apache Log4j to the latest log4J-2.15.0 based on the check suggestions.

Automatic bug repair

Manually updating dependent files in sequence is very tedious. Codeup, a cloud effect code management platform, also provides intelligent automatic vulnerability repair capability. When the security vulnerability is detected, a yellow label will be provided on the “Security” problem list page to support one-click automatic vulnerability repair:

Expand the details of the problem and click “Create Merge request automatic repair” button to automatically generate a merge request. After manual review and confirmation, one-click merge can automatically fix the vulnerability:

Looking at the file differences, you can see that the merge request has automatically upgraded the Log4j dependent version in the code Pom.xml to the recommended secure version:

After manual confirmation, click Merge, and the code merge changes will automatically trigger the code detection service again. Check the detection results to confirm that the vulnerability has been fixed and solved:

The ultimate cloud code hosting protection

The Apache Log4j2 open source dependency package vulnerability is a wake-up call for everyone, enterprise code as one of the most important digital assets, is likely to face various security risks. Enterprises and developers need to think about how to protect their code data security more comprehensively while solving this single point of problem.

Codeup, the cloud effect code management platform of Aliyun, provides a wealth of security services to ensure the security of enterprise code assets in terms of access security, data credibility, audit risk control, storage security and other aspects. If you start to pay attention to security, you may as well go to Codeup to explore cloud effect immediately.

The original link

This article is the original content of Aliyun and shall not be reproduced without permission.