Use cloud codeup10 minutes to urgently fix Apache log4j2 vulnerability

Time:2022-3-18

On December 10, 2021, the national information security vulnerability sharing platform (cnvd) included Apache log4j2 Remote Code Execution Vulnerability (cnvd-2021-95914), which is a Java based logging tool and an upgrade of log4j. As one of the best Java logging frameworks, it is widely used in business system development.

Vulnerability information

 

As early as November 24, 2021, Alibaba cloud security team reported the vulnerability. In order to help you identify the vulnerability faster and avoid potential attacks, the cloud effect technology team provided a solution to the vulnerability.

Source level scanning to kill the risk in time

The “dependency package vulnerability detection” of codeup, Alibaba cloud’s effective code management platform, supports real-time scanning of dependency package risks at the source level and provides vulnerability repair solutions. It can automatically scan vulnerabilities for the enterprise code base and report them quickly, so as to avoid possible risk omissions caused by manual visual inspection.

Log4j has been defined as a blocker level high-risk vulnerability this time. It is strongly recommended to upgrade and repair as soon as possible:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞 

How to use detection

The code base administrator starts “dependency package vulnerability detection” in warehouse settings – integration and services. Please note that “set Java detection parameters” should be checked for Java code:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

After opening, the default branch will automatically start to perform detection. After the detection is completed, you can view the details of branch code detection. Vulnerability description and repair scheme suggestions are provided in the detection report:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

Due to the real-time update of vulnerability library, the code library that has been scanned in history needs to actively switch or submit code to trigger the execution of the latest scan.

How to fix the vulnerability

According to the detection suggestions, modify the relevant dependent versions of Apache log4j to the latest log4j-2.15.0.

Auto fix vulnerability

Manually updating dependent files in turn is very cumbersome. The cloud code management platform codeup also provides intelligent automatic vulnerability repair capability. When the security vulnerability is detected, a yellow identification will be provided on the “security” problem list page to support one click automatic vulnerability repair:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

Expand the problem details and click the “create merge request auto repair” button to automatically generate a merge request. After manual review and confirmation, one click merge can be performed to automatically repair the vulnerability:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

Viewing the file differences, you can see that the merge request has automatically POM the code Upgrade the log4j dependent version in XML to the recommended secure version:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

Click merge after manual confirmation, and the code merge change will automatically re trigger the code detection service. Check the detection results to confirm that the vulnerability has been repaired and solved:

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞 

Ultimate cloud code hosting protection

The vulnerability of Apache log4j2 open source dependency package sounded an alarm for everyone. As one of the most important digital assets, enterprise code is likely to be facing various security risks. While solving this single point problem, enterprises and developers also need to think about how to more comprehensively protect their code and data security.

Codeup, Alibaba cloud’s cloud efficient code management platform, provides a wealth of security services to ensure the security of enterprise code assets from the perspectives of access security, data credibility, audit risk control and storage security. If you begin to pay attention to security, you might as well go to codeup to start exploring.

使用云效Codeup10分钟紧急修复Apache Log4j2漏洞

 

Reference reading:

What is Cloud Security – codeup code intelligent security detection service

Security – Data recycle bin & code backup

Uncover the secret! Industry’s innovative code warehouse encryption technology 04 / code encryption technology unveiling


About us

Learn more about the latest developments in cloud efficiency DevOps, WeChat search focuses on cloud efficiency official account.

The official account is back to safety, so we can see the white paper on cloud efficiency product safety.

After reading it, I think it will help you. Don’t forget to like, collect and pay attention to it;