On December 10, 2021, the national information security vulnerability sharing platform (cnvd) included Apache log4j2 Remote Code Execution Vulnerability (cnvd-2021-95914), which is a Java based logging tool and an upgrade of log4j. As one of the best Java logging frameworks, it is widely used in business system development.
As early as November 24, 2021, Alibaba cloud security team reported the vulnerability. In order to help you identify the vulnerability faster and avoid potential attacks, the cloud effect technology team provided a solution to the vulnerability.
Source level scanning to kill the risk in time
The “dependency package vulnerability detection” of codeup, Alibaba cloud’s effective code management platform, supports real-time scanning of dependency package risks at the source level and provides vulnerability repair solutions. It can automatically scan vulnerabilities for the enterprise code base and report them quickly, so as to avoid possible risk omissions caused by manual visual inspection.
Log4j has been defined as a blocker level high-risk vulnerability this time. It is strongly recommended to upgrade and repair as soon as possible:
How to use detection
The code base administrator starts “dependency package vulnerability detection” in warehouse settings – integration and services. Please note that “set Java detection parameters” should be checked for Java code:
After opening, the default branch will automatically start to perform detection. After the detection is completed, you can view the details of branch code detection. Vulnerability description and repair scheme suggestions are provided in the detection report:
Due to the real-time update of vulnerability library, the code library that has been scanned in history needs to actively switch or submit code to trigger the execution of the latest scan.
How to fix the vulnerability
According to the detection suggestions, modify the relevant dependent versions of Apache log4j to the latest log4j-2.15.0.
Auto fix vulnerability
Manually updating dependent files in turn is very cumbersome. The cloud code management platform codeup also provides intelligent automatic vulnerability repair capability. When the security vulnerability is detected, a yellow identification will be provided on the “security” problem list page to support one click automatic vulnerability repair:
Expand the problem details and click the “create merge request auto repair” button to automatically generate a merge request. After manual review and confirmation, one click merge can be performed to automatically repair the vulnerability:
Viewing the file differences, you can see that the merge request has automatically POM the code Upgrade the log4j dependent version in XML to the recommended secure version:
Click merge after manual confirmation, and the code merge change will automatically re trigger the code detection service. Check the detection results to confirm that the vulnerability has been repaired and solved:
Ultimate cloud code hosting protection
The vulnerability of Apache log4j2 open source dependency package sounded an alarm for everyone. As one of the most important digital assets, enterprise code is likely to be facing various security risks. While solving this single point problem, enterprises and developers also need to think about how to more comprehensively protect their code and data security.
Codeup, Alibaba cloud’s cloud efficient code management platform, provides a wealth of security services to ensure the security of enterprise code assets from the perspectives of access security, data credibility, audit risk control and storage security. If you begin to pay attention to security, you might as well go to codeup to start exploring.
Learn more about the latest developments in cloud efficiency DevOps, WeChat search focuses on cloud efficiency official account.
The official account is back to safety, so we can see the white paper on cloud efficiency product safety.
After reading it, I think it will help you. Don’t forget to like, collect and pay attention to it;