As the Apache Log4j vulnerability continues to wreak havoc, Google and Code Intelligence have jumped in with mitigations. Specifically, Google has collaborated with CI to include Log4j fuzzing in its OSS-Fuzz tool to detect the Log4Shell bug.
OSS-Fuzz Tool To Detect Log4Shell Bug
Sharing the details in a blog post, Google has announced empowering its fuzzing tool OSS-Fuzz security tool to detect Log4Shell.
For this, Google has collaborated with the security firm Code Intelligence (CI), which has also enhanced its Jazzer fuzzing engine.
Specifically, Google first coordinated with CI earlier this year when it integrated CI’s Jazzer in its OSS-Fuzz. Jazzer is an in-process fuzzer for Java Virtual Machine (JVM) based languages like Kotlin and Scala. Hence, integrating Jazzer into OSS-Fuzz made Google’s security tool capable of continuous fuzzing for JVM-based projects.
Now, after the Apache Log4j vulnerability “Log4Shell” fiasco, the security community rushed to develop tools to contain this disastrous situation. Hence, Code Intelligence also improvised Jazzer to detect Log4Shell and other similar RCE bugs vigilantly. Consequently, it enabled Google’s OSS-Fuzz to detect the Log4j bug as it integrates Jazzer.
Google believes this move will help the open-source community to secure their projects against Log4Shell and alike. The tech giant also pledges to continue this effort in the future.
As stated in their post,
We want to empower open source developers to secure their code on their own. Over the next year we will work on better automated detection of non-memory corruption vulnerabilities such as Log4Shell. We have started this work by partnering with the security company Code Intelligence to provide continuous fuzzing for Log4j, as part of OSS-Fuzz.
Besides, Google also explained that the enhanced Jazzer version (and hence, OSS-Fuzz) could detect remote JNDI lookups too.
The tech giant hopes that OSS-Fuzz and Jazzer can better facilitate such vulnerabilities’ early detection and patching.