Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

December 2021

Snyk Log4Shell Stranger Danger Live Hack (APJ)

Note: As of Dec. 28, 2 PM PST, we recommend upgrading to the latest Log4j version. We give a brief overview of the vulnerability and dive right into some examples of the exploit in action. We then show several real-world remediation approaches as well as other fixes outside code.. We give a final round of fun demos, including container and IaC hacks as well as Java-based game hacks. We wrap up with a great list of takeaway resources and answer your questions.

New Log4j 2.17.1 fixes CVE-2021-44832 remote code execution but it's not as bad as it sounds

As previously predicted to unfold, at approximately 7:35 PM GMT, 28th of December 2021, another security vulnerability impacting the Log4j logging library was published as CVE-2021-44832. This new CVE-2021-44832 security vulnerability is affecting versions up to 2.17.0, which was previously thought to be fixed. This vulnerability is similar in nature to CVE-2021-4104 which affected the 1.x branch of Log4j.

Log4Shell PoC exploit and mitigation demo on Kubernetes

Demonstration of an RCE against the Log4Shell / CVE-2021-44228 vulnerability on a PoC Java EE app running on Kubernetes. I also go over a few mitigation steps you can take to reduce your exposure to this and other such exploits. References mentioned in the video: Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

It takes a community: Responding to open source criticism post-Log4Shell

The last week has been a wild ride for just about everyone in the technology world due to the public disclosure of the Log4Shell vulnerability. As a developer security company, Snyk has built our business around proactive automation to identify and fix security issues in applications. To say we’ve been busy this week would be an understatement.

Snyk Log4Shell Stranger Danger Live Hack

In this recorded session, we present a live hack webinar on the Log4Shell exploit. We give a brief overview of the vulnerability and dive right into some examples of the exploit in action. We then show several real-world remediation approaches as well as other fixes outside code. We give a final round of fun demos, including container and IaC hacks as well as Java-based game hacks. We wrap up with a great list of takeaway resources and answer your questions.

Snyk Code Hands-on Workshop

Snyk Code is developer-first: embedding SAST as part of the development process, enabling developers to build software securely during development, and not trying to find and fix problems after the code is compiled. Snyk Code works in the IDEs and SCMs developers use to build and review software and provides fast, actionable, meaningful results to fix issues in real-time.

Snyk Container in 2021: Shifting container security all the way left

No matter how you slice it, the use of containers and Kubernetes continues to swell. And recent high profile vulnerabilities-that-shall-not-be-named have shown us how important container security is for an overall application security program. Protecting your own code, your dependencies, and the containerized services you use are all a must.

Snyk IaC in 2021: Leading infrastructure as code security for developers

With great automation, comes great risk. The advent of infrastructure as code brought about automation for the tedium of deploying, provisioning, and managing resources in public clouds with declarative scripts. However, this automation increased the importance of creating secure IaC scripts or configurations with cloud infrastructure misconfigurations being cited as the biggest area of increased concern (58%) from 2020 to 2021 in the 2021 Snyk Cloud Native Application Security report.

Snyk Open Source in 2021: A year of innovation

More than 90% of organizations rely on open source software, a reliance that introduces a significant amount of security and legal risk via either direct or transitive open source dependencies. To overcome this challenge, Software Composition Analysis (SCA) solutions are playing an increasingly important role in helping organizations successfully identify and mitigate potential security issues.

Snyk Code in 2021: Redefining SAST

Starting in early 2021, Snyk Code and became available as a freemium offering for Snyk users. Snyk Code helps developers quickly and accurately find, prioritize, and fix security flaws in proprietary code. With detailed remediation guidance at every stage of the software development lifecycle (SDLC), from the developer’s environment (IDE) to continuous integration and development (CI/CD) pipelines, Snyk Code revolutionizes static application security testing (SAST).

Live Hacking: Find Vulnerabilities in Your Apps Before Hackers Do

As cloud-native technologies disrupt the Application Security (AppSec) market, forward-thinking enterprises are shifting their security to the left. A range of cutting-edge security platforms is now available, empowering developers to build secure applications within the development process. But what do secure applications look like, and why does it matter? Why are enterprises implementing security during the deployment phase?

Snyk makes it easier to fix Log4Shell with extended free scans

Due to the recently discovered Log4Shell vulnerability, and to support the tremendous effort being mounted by the community to address it, we are happy to announce that we are increasing the free test limit in Snyk Open Source! This means that any developer, no matter the company or project, can now use Snyk Open Source to find and fix Log4Shell with double the number of free tests, whether it’s within your IDE, your Git repositories, CI environments, or using the Snyk CLI.

Log4j 2.16 High Severity Vulnerability (CVE-2021-45105) Discovered

Overnight, it was disclosed by Apache that Log4j version 2.16 is also vulnerable by way of a Denial of Service attack with the impact being a full application crash, the severity for this is classified as High (7.5). Snyk is currently not aware of any fully-fledged PoCs or exploits in circulation. CVE-2021-45105 has been issued, and a new fixed version (2.17) has been published by Apache which we recommend upgrading to.

DevSecOps and Data Engineering

As security is adopted more in the shift left devsecops approach it brings with it a re-examining of the full SDLC. This is increasingly important not only as part of security policies and app handling but also ensuring the protection of infrastructure, data and end user app experiences. In this Snyk Live episode we are joined by Saman Fatima, sharing experiences around security practices and approach. Looking at DevSecOps practices like IAM and how security can apply to data engineering.

How do we solve a problem like Log4shell?

With the infamous Log4shell vulnerability spread far and without any direct fixes available yet, what do we do? Our panel of Java champions discuss the immediate reality, the near term solutions, and how the community can help itself and its members Speakers Host - Randall Degges | Head of Developer Relations & Community at Snyk Ana-Maria Mihalceanu | Developer Advocate Red Hat Martijn Verburg | Principal Engineering Group Manager (Java) at Microsoft

Snyk + Dynatrace workshop: Integrating for real-time vulnerability detection

Since 2019, Snyk and Dynatrace have partnered with a shared mission of securing the entire software development lifecycle (SDLC) and accelerating digital transformation. As many agile organizations migrate their workloads to the cloud, it’s tempting for teams to let security take a back-seat until all the pieces of the infrastructure puzzle are in place.

What has the Log4shell vulnerability taught us about application security?

A week ago, we had no idea what Log4shell was. Today, we have the global developer community coming together to keep itself safe from a vulnerability that ranks the highest in terms of risk. We need technical solutions, but what does it mean for the landscape of application security, and what have we learned from this situation?

Security in context: When is a CVE not a CVE?

At Snyk we have some general points of principle that we use to help guide our security thinking and decision making. Firstly, it is always important to understand from whom we are protecting, as it has implications for how we need to act. As an example of this, if our artefact is a web server, then we need to protect it against untrusted users. Whilst if our artefact is encryption software, then we clearly need to protect it even from users with physical access to the system.

Log4Shell: What You Need to Know About the Log4j Vulnerability (APJ)

A new critical vulnerability, Log4Shell, was publicly disclosed on December 10th and is making global headlines. It impacts a wide amount of applications on the internet, allowing attackers to remotely execute code within vulnerable applications worldwide. In this webinar recording, Snyk technical experts provide an in-depth technical review of the Log4Shell vulnerability, what caused it, how it can be exploited, and most importantly, how it can be mitigated through upgrades, or defended against in WAF configurations and more.

Log4Shell in a nutshell (for non-developers & non-Java developers)

If you’re in tech at all, you’ve likely heard of the Log4Shell exploit taking over the Intertubes. If you’re not a Java developer (or developer of any sort), you may be left scratching your head as to just what’s going on. This post is split into two parts: an explanation of Log4Shell for non-developers and an overview of the Log4Shell vulnerability for non-Java developers.

Log4Shell: What You Need to Know About the Log4j Vulnerability

A new critical vulnerability, Log4Shell, was publicly disclosed on December 10th and is making global headlines. It impacts a wide amount of applications on the internet, allowing attackers to remotely execute code within vulnerable applications worldwide. In this webinar recording, Snyk technical experts provide an in-depth technical review of the Log4Shell vulnerability, what caused it, how it can be exploited, and most importantly, how it can be mitigated through upgrades, or defended against in WAF configurations and more. We cover.

Fireside Chat: Log4j and Injection Flaws

Join us for a fireside chat with Micah Silverman, Snyk's Director of DevSecOps Acceleration, and Vandana Verma, Security Relations Leader at Snyk, as we answer your #Log4Shell questions: What is it and how does it affect us? How do I find and fix the #Log4J vulnerability? What can other language ecosystems learn from this? We'll also talk about the OWASP Top 10 and injection flaws.

Don't panic, we'll get through Log4shell together

On December 10th, the world was greeted by the latest great cyber security threat, and the developer community globally is working tirelessly to secure their applications. Find out what the notorious Log4shell vulnerability is, how developers and organisations are being affected by it, and what exposed ecosystems are doing to mitigate the risk. Guests Brian Clark - Senior Developer Advocate at Snyk Kyle Suero - Senior Security Advocate at Snyk Chris Russell - CISO at tZERO Alyssa Miller - BISO - S&P Global Ratings

Find and fix the Log4Shell exploit fast with Snyk

Even if you tried VERY hard to enjoy a quiet weekend, chances are that this plan was interrupted at least once by the new Log4Shell zero-day vulnerability that was disclosed on Friday (December 10, 2021). The new vulnerability was found in the open source Java library log4j-core which is a component of one of the most popular Java logging frameworks, Log4J.

The Log4j vulnerability and its impact on software supply chain security

By now, you already know of — and are probably in the midst of remediating — the vulnerability that has come to be known as Log4Shell and identified as CVE-2021-44228. This is the vulnerability which security researchers disclosed on Friday (10 December 2021) for Apache’s Log4j logging framework. In this article, we’ll explore a few key Log4j facts as well as actions you can take to protect yourself and your company.

Find and fix vulnerabilities in your CI/CD pipeline with Snyk and Harness

When DevOps emerged more than ten years ago, the main focus was to bridge the gaps between dev and ops teams. This was achieved by introducing automation to the processes of designing, building, testing, and deploying applications. But as development teams continue to deliver faster and more frequently, security teams find it difficult to keep up. Often, they become the bottleneck in the delivery pipeline.

Log4Shell vulnerability disclosed: Prevent Log4j RCE by updating to version 2.15.0

Today (Dec.10, 2021), a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228, categorized as Critical with a CVSS score of 10 (the highest score possible). The vulnerability was discovered by Chen Zhaojun from Alibaba’s Cloud Security team. All current versions of log4j2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.15.0 or later.

Responsible disclosure: CodeCov CEO & CTO share learnings from the breach

In January of 2021, CodeCov suffered a supply chain attack that exposed client environment variables. In the following months, the specifics of the breach and its technical applications have been thoroughly examined by the application security community to determine what went wrong and how to combat similar attacks in the future. But another interesting outcome of the breach were the insights into a slightly less glamorous topic: responsible disclosure.

How to Scale Developer Security Using Snyk (Demo)

Emerging cloud-native technologies have shifted and expanded the scope of AppSec as we know it. Digital transformation and scale now hinges on developers’ ability to build and deploy rapidly – and doing so securely. Snyk’s developer security platform is designed to work like a developer tool – making it not only easy to find issues but to fix them quickly. In this recorded webinar, Jim Armstrong walks through a demo to show how developers can secure their proprietary code, open source libraries, container images, and infrastructure as code deployments.

Snyk Open Source adds beta C/C++ security scanning for unmanaged OSS

We’re happy to announce the open beta of C/C++ security scanning in Snyk Open Source, enabling development and security teams to find and fix known security vulnerabilities in their C/C++ open source code and libraries! Used across various industry verticals and prominent within the gaming, hardware/IoT, and communications industries, C/C++ continues to have a major impact on software development and the technology space as a whole.

Snyk Customer Story: ActiveCampaign

ActiveCampaign's Amar Patel, Engineering Manager, and Ben Harold, Senior Software Engineer share their experiences with Snyk. Snyk helps ActiveCampaign "identify vulnerabilities and communicate with upper management about the risks that need to be addressed." With Snyk, ActiveCampaign can gain get better insights into the risks on their platform and better address those risks in a more streamlined and frictionless manner.

Java JSON deserialization problems with the Jackson ObjectMapper

In a previous blog post, we took a look at Java’s custom serialization platform and what the security implications are. And more recently, I wrote about how improvements in Java 17 can help you prevent insecure deserialization. However, nowadays, people aren’t as dependent on Java’s custom serialization, opting instead to use JSON. JSON is the most widespread format for data serialization, it is human readable and not specific to Java.