Google adds OSS-Fuzz open source fuzzer capability to discover Log4Shell vulnerability

Google adds OSS-Fuzz open source fuzzer capability to discover Log4Shell vulnerability

As the catastrophic Log4j vulnerability continues to cause havoc on the internet and organizations, Google in collaboration with security firm Code Intelligence has released an update to open source fuzzer (OSS-Fuzz) that can detect the Log4Shell vulnerability.

OSS-Fuzz is used for fuzz testing, a popular technique for discovering vulnerabilities and program errors in software, such as buffer overflow that can lead to major security issues.

The primary objective of OSS-Fuzz is securing common open source software and has been used in more than 500 critical open source projects. To add, security researchers have used the tool to discover over 7,000 vulnerabilities to date.

In partnership with the Google Open Source Security Team, security firm Code Intelligence has now improved their Jazzer fuzzing engine (as part of OSS-Fuzz) to find the Log4Shell vulnerability. Moreover, Jazzer is also capable of detecting remote JNDI lookups.

“With OSS-Fuzz and Jazzer, we can now detect this class of vulnerability so that they can be fixed before they become a problem in production code,” Google stated in a blog post.

Researchers had previously discovered the critical Apache Log4j vulnerability (aka “Log4Shell“) that can result in remote code execution (RCE) by logging a certain string. In addition, CISA and Microsoft also issued new guidance for Log4j vulnerability remediation.

The RCE vulnerability CVE-2021-44228 is caused by Apache Log4j2 JNDI features that do not protect against attacker controlled LDAP and other JNDI related endpoints.

Related Articles

Tags: , , , , ,