Google Open Source Security Team announced a solution to secure the open-source libraries used by thousands of users. The solution, OSS-Fuzz is a free fuzzing service that has found over 7,000 vulnerabilities during its lifetime and is used by more than 500 open-source projects. For the solution, Google has partnered with Code Intelligence, a security company, to provide continuous fuzzing for Log4j, as part of OSS-Fuzz.
Continuous fuzzing for Log4j
For the partnership Code Intelligence improved its Jazzer fuzzing engine allowing it to detect remote JNDI lookups. Google has awarded the company $25,000 for the effort and stated that they will continue to with them for a secure open-source ecosystem.
Google also stated that vulnerabilities like Log4Shell are an eye-opener for the industry and with OSS-Fuzz and Jazzer, the company can now detect these type of vulnerabilities allowing users to fix them before something unwanted happens.
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited