The announcement of Log4j vulnerability cve-2021-44228 sent security and development teams into a tailspin and highlights the one of biggest challenges of open source security: dependency management. The open source libraries that make up approximately 80% of our applications are often a tangled web of dependencies. If tracking all of the open source components within a codebase is a challenge, tracking the direct and indirect dependencies is almost impossible to do without smart automation.
While AppSec and development professionals agree that keeping dependencies up to date is crucial for secure coding, far too many prefer to wait until a “critical” update comes along before they take action. This “If it ain’t broke” attitude is far too common, and as a result, keeping libraries updated is often given a lower priority in favor of putting out the fires of the day.
The recent Log4j vulnerabilities don’t leave any room for delay. Organizations can’t afford to add Log4j remediation to the bottom of developers’ to-do lists.
In order to help development and security teams address this challenge, today we are releasing a remediation preset for Mend Renovate and Remediate — included in both our free and commercial products — which enables users to identify and fix the Log4j vulnerability from hundreds of downstream dependent packages of Log4j.
This remediation preset helps address the challenge teams have been facing when it comes to open source security fixes in general, and that the Log4j brought to forefront updating indirect dependencies. Many packages in the Maven and Gradle ecosystems use Log4j, so remediating it requires more than just upgrading Log4j in direct dependencies — it may also require upgrading multiple indirect dependencies.
Mend has found hundreds of packages in use by our customers which have both vulnerable and fixed versions available, and we have generated a set of rules to identify and fix these.
The list is by no means exhaustive. For example, it does not include certain older versions of packages for which we’ve seen no recent use. We will continue to update the list both:
Additionally the list itself is open source so contributions and corrections are welcome.
Usage instructions for the preset can be found within the repository. The preset is available for all editions of Renovate (Open Source, the Mend Renovate App, and Mend Renovate On-Premises) as well as Mend Remediate, which is part of Mend’s commercial offering.
As news of new Log4j exploits continues to dominate headlines, it’s crucial for developers using Log4j to have the ability to quickly and confidently update Log4j to a secure version. Mend Renovate combined with Merge Confidence helps developers support that strategy.
Learn More: Get free tools to detect and fix Log4j vulnerabilities at our Log4j Vulnerability Resource Center.