The clock continues to tick as exploits for the recently discovered Log4j vulnerability are expected to continue well into the coming months, and even years. Companies are rushing to scan applications to locate vulnerable components affected by the Log4j attacks.
To help speed up this process, we are excited to announce Sonatype's new Log4j Visualizer feature in Sonatype Nexus Repository (as of version 3.37.2), available to all Nexus OSS and Pro users.
The Log4j Visualizer functions as a spotlight for engineering teams on Maven Log4j component downloads within their organization, and any components impacted by Log4j on internal repositories. This includes packages impacted by CVE-2021-44228, in views separated by repository, username, and IP address.
As stewards of Maven Central, Sonatype teams are working hard to ensure organizations have reliable and fast access to the latest Log4j fixes. Our available resources for application scanning and available intel accelerate protection for the software supply chain. The Log4j Visualizer will do the same with the key features highlighted below.
Show Log4j component downloads in your organization
Getting started with the new feature is simple: After logging into Sonatype Nexus Repository, you will see a prompt to enable the Log4j Visualizer. If you accept, you'll see three separate datasets, as shown below:
Screen capture of the Log4j Visualizer
Details:
- Table 1: Repository
Breaks down how many times users downloaded Log4j components that are impacted by CVE-2021-44228 from specific repositories. - Table 2: Username
Shows the usernames associated with accounts downloading impacted components. - Table 3: IP Address
Displays the IP addresses that have downloaded impacted components.
The interface also allows users to view the status of individuals by typing in any of the above (repository name, username, or IP address). The feature requires the nx-all privilege to view the data, and is disabled by default.
This powerful capability lets Sonatype Nexus Repository users view the consumption of Log4j vulnerable downloads relating to CVE-2021-44228 directly within their own development infrastructure. This is critical information for any development, engineering, or application security team, especially given that two in five users are still downloading vulnerable versions of Log4j.
It’s clear that many developers and engineering teams remain completely unaware of how they are affected. The new Log4j Visualizer gives a dashboard view of component download data where the CVE-2021-44228 is being ingested. With it, teams can more quickly take action to update and fix issues.
Find and fix vulnerabilities automatically
Upgrading Log4j dependencies and keeping constantly up-to-date on new exploits is a complex and multifaceted challenge. Organizations are scrambling to look for needles in hundreds of haystacks in a dynamic environment. All this while trying to determine which set of tools to use across multiple applications and networks.
We help solve these problems by finding and fixing vulnerabilities across the entire software development life cycle by using the most accurate and precise data available with Sonatype Intelligence. Engineering and application security teams gain visibility into specific repositories where vulnerable components are being downloaded. This process is known as software composition analysis (SCA), a space where Sonatype has been recognized as a strong performer by Forrester Research.
Customers can also automatically block and continuously monitor other exploits throughout software supply chains, without additional personnel or manual effort.
For early identification and warnings, Sonatype Repository Firewall automatically blocks any known CVE and malicious behavior attacks from entering the development process. This includes typosquatting, malware injection, and Unicode Trojan Source attacks. Sonatype Lifecycle continuously monitors each phase of the software development life cycle (SDLC) to find and fix Log4j threats, even within legacy applications.
Emerging threats and beyond
Sonatype is laser-focused on helping organizations automate full spectrum software supply chain security to speed delivery of secure, high-quality applications. To do this, we have invested in knowing more about the quality of open source than anyone else in the world. This investment takes the form of machine learning, artificial intelligence, and human expertise, which produces highly curated intelligence infused into every Sonatype Platform product.
Organizations equipped with the Sonatype Platform make better decisions, innovate faster at scale, and rest comfortably knowing that their applications always consist of the highest quality open source components.
For the latest up-to-date information and data on Log4j news, check out Sonatype's Log4j Resource Center.
Title image source: Waranont
