Home / Companies / JFrog / Blog / March 2022

March 2022 Summaries

11 posts from JFrog

Filter
Month: Year:
Post Summaries Back to Blog
In March 2022, a critical remote code execution vulnerability known as "SpringShell" or "Spring4Shell" was discovered in the popular Spring Framework, specifically targeting its data binding mechanism. The vulnerability, cataloged as CVE-2022-22965, allows attackers to exploit Java's ClassLoader attributes, especially in applications running on JDK 9 or later, leading to potential arbitrary code execution. The issue impacts many web applications that use Spring, particularly those using tutorials that bind request parameters to Java objects, making them susceptible to this flaw. While it was initially likened to the notorious Log4Shell vulnerability, SpringShell is not as widespread. The vulnerability was first sensationalized in a blog post, followed by a proof-of-concept release on Twitter, leading to its confirmation and subsequent patch releases by the Spring maintainers. Despite the vulnerability's potential severity, it is limited by certain conditions, such as deployment on Apache Tomcat as a WAR file, though future exploits may target different platforms. The primary mitigation strategy involves upgrading the Spring Framework to versions 5.2.20 or 5.3.18, or implementing a workaround by restricting certain ClassLoader fields, but upgrading remains the most effective solution. Additionally, the JFrog platform offers tools to detect and remediate the vulnerability, and it clarifies that two other Spring CVEs released at the same time are unrelated to SpringShell.
Mar 30, 2022 1,801 words in the original blog post.
JFrog Security's research team identified a targeted software supply chain attack on the npm Registry, wherein malicious packages were uploaded under the @azure scope through a typosquatting method. This attack involved creating packages with names similar to legitimate ones, minus the @azure prefix, leading to the potential theft of personally identifiable information (PII) from developers who might inadvertently install these packages. The malicious packages, totaling over 200, were quickly removed after being reported to npm maintainers. The attack likely aimed at both general npm users and possibly internal Microsoft/Azure networks, utilizing automated scripts to obscure the attack's origin and high version numbers to suggest a dependency confusion attack. JFrog Xray users are protected from such attacks, and Azure developers are advised to verify their package installations. The swift detection and response by npm maintainers highlight the importance of ongoing vigilance and improvements in security measures against the increasing trend of supply chain attacks.
Mar 23, 2022 1,442 words in the original blog post.
A recent blog post addresses vulnerabilities in the Apache HTTP server, specifically focusing on CVE-2022-23943 found in the mod_sed module, which can lead to a Denial of Service (DoS) or potentially Remote Code Execution (RCE). This vulnerability affects all Apache 2.4.x versions up to 2.4.52 when using the mod_sed filter for request or response editing, due to buffer mishandling that can result in an Out-of-Bounds Write. The post provides remediation advice, recommending an upgrade to Apache version 2.4.53 or applying a patch to fix the vulnerability. If upgrading is not possible, a mitigation strategy involves limiting the size of POST method bodies using the LimitRequestBody directive to prevent triggering the vulnerability. The blog also highlights JFrog's security tools, such as Xray, which offer automated security scanning and contextual analysis to help identify and resolve exploitable vulnerabilities in production environments.
Mar 17, 2022 1,101 words in the original blog post.
Security operation teams face the challenge of sifting through numerous daily alerts, many of which are false positives, requiring more efficient incident response solutions to focus on true cyber threats and reduce response times. JFrog's Cyber Security Incident Response Team (CSIRT) addressed this issue by implementing an automated security alert solution using a Slack chatbot, which minimized triage time and improved decision-making processes by automating the investigation and enrichment of raw data logs. This automation allowed the team to concentrate on true positive threats and reduced the risk lifetime by promptly informing incident owners within the organization, thereby increasing overall security awareness and response efficiency. The CSIRT's approach involved creating tailored playbooks for various incident types, leveraging existing platforms for incident management, and fostering team collaboration to ensure seamless integration and error handling. By sharing their methodology, JFrog hopes to inspire other organizations to enhance their own security operations through automation.
Mar 17, 2022 1,293 words in the original blog post.
Dart developers have new opportunities to enhance their software development lifecycle through JFrog Artifactory's support for Pub, Dart's package manager, enabling robust binary management and continuous integration practices. Dart, developed by Google, is a versatile programming language optimized for client development, and it has seen substantial growth due to its compatibility with platforms like Flutter and AngularDart, which allow for the creation of applications across multiple platforms using a single codebase. The integration of Pub repositories into Artifactory facilitates the acceleration of development processes by allowing remote, local, and virtual repositories to serve as caching proxies, ensuring speed, consistency, and security across teams. By using Artifactory's fine-grained permissions, developers can manage access and dependencies efficiently, enhancing the reliability and locality of Dart builds. With the ability to combine repositories into a single virtual repository, Dart developers can streamline dependency resolution, making it easier to maintain and share packages within and across teams, thereby promoting best DevOps practices and ensuring a seamless integration of native Pub, Flutter, and AngularDart support.
Mar 16, 2022 1,468 words in the original blog post.
The JFrog Security research team identified seven new security vulnerabilities in ClickHouse, an open-source Database Management System (DBMS) used primarily for online analytical processing, which were promptly disclosed to and addressed by ClickHouse maintainers. These vulnerabilities, which can be exploited by any authenticated user with read permissions, include heap buffer overflows, heap out-of-bounds reads, and divide-by-zero errors, potentially leading to server crashes, memory leaks, or remote code execution. The vulnerabilities affect various compression codecs within ClickHouse, and users are advised to update to version v21.10.2.15-stable or later to mitigate these risks. JFrog products remain unaffected as they do not utilize ClickHouse, and the JFrog team commends ClickHouse Inc. for their swift resolution of these issues.
Mar 15, 2022 1,850 words in the original blog post.
Developers are increasingly required to incorporate security and compliance checks early in the software development process, a practice known as "shift left," due to the rapid evolution of DevOps and the increasing sophistication of cyber threats. As businesses digitize their operations, they become more vulnerable to software vulnerabilities and cyberattacks, emphasizing the need for secure DevOps practices, or DevSecOps. The cost of poor software quality was estimated at $2 trillion in 2020, with much of it attributed to unpatched vulnerabilities. Software supply chain attacks, such as the notorious SolarWinds hack, highlight the need for stringent security measures, as these attacks are rising and often target third-party code. To address these challenges, integrating security checks into the development lifecycle helps mitigate risks earlier, reducing costs and improving software quality. Tools like the JFrog DevOps Platform facilitate this approach by automating security and compliance assessments from development through to production, ensuring vulnerabilities are addressed promptly and efficiently.
Mar 10, 2022 1,220 words in the original blog post.
The DirtyPipe vulnerability, designated as CVE-2022-0847, is a critical security flaw in the Linux kernel versions 5.8 and later, allowing local attackers to gain root privileges by writing arbitrary data to read-only files. Similar to the DirtyCoW vulnerability of 2016, DirtyPipe affects all major Linux distributions and cloud providers, posing significant risks as it can be exploited to rewrite sensitive files like "/etc/passwd" and potentially break out of containers under certain conditions. The vulnerability was discovered through the misuse of the splice() system call, and it has been addressed in kernel versions 5.16.11, 5.15.25, and 5.10.102. Remediation involves upgrading the kernel to these versions or applying a patch, and for those unable to do so, a mitigation option is to deploy a seccomp profile that disallows the splice syscall. JFrog's security research has confirmed that their products are not vulnerable, and they offer tools like JFrog Xray for identifying affected software versions.
Mar 09, 2022 1,013 words in the original blog post.
International Women's Day's theme of #BreakTheBias underscores the ongoing need to address both conscious and unconscious gender biases, a sentiment strongly echoed by JFrog, a company deeply committed to fostering diversity and inclusion. JFrog's leadership team includes six accomplished female executives who exemplify this commitment through their significant contributions to the company and the broader DevOps industry. These leaders, such as Moran Ashkenazi, who recently received a Bronze Globee award in cybersecurity, and Tali Notman, recognized as one of Silicon Valley's most influential women, demonstrate the impact of skill-based hiring. JFrog's commitment to diversity extends to its board and developer relations team, with women making up 30% and 50% of these groups, respectively. Despite these strides, the company recognizes the broader challenges women face in STEM fields, advocating for supportive programs and mentorship to empower women and girls. As a CEO and father, the author emphasizes the importance of a bias-free world where everyone is encouraged to pursue their dreams, aligning with JFrog's ethos of inclusivity and empowerment.
Mar 08, 2022 799 words in the original blog post.
JFrog's integration with PagerDuty enhances the monitoring and incident response capabilities for automated software delivery by amplifying Artifactory and Distribution event alerts. This integration is part of JFrog's verified Integrations with PagerDuty, which brings IT Service Management visibility to key change events within the JFrog Platform. By leveraging webhooks, it allows teams to receive real-time notifications of significant events such as artifact changes, release bundle creations, and distribution activities, thus ensuring seamless global distribution of applications and mitigating potential downtime impacts. The integration also supports best DevOps practices by facilitating the enforcement of policies like build immutability and providing ITSM visibility into the software development lifecycle. This connection allows for efficient monitoring of change events across Artifactory, Distribution, and other JFrog components, promoting transparency and responsiveness in DevOps and ITSM procedures.
Mar 02, 2022 1,006 words in the original blog post.
JFrog's Security Research team uncovered five security vulnerabilities in PJSIP, an open-source multimedia communication library used by applications like WhatsApp and Asterisk. These vulnerabilities, which include stack overflows and buffer overflows, can lead to arbitrary code execution or denial of service when exploited. The affected functions include pjsua_player_create, pjsua_recorder_create, pjsua_playlist_create, and pjsua_call_dump, with risks contingent on passing attacker-controlled arguments. Although JFrog disclosed these vulnerabilities to PJSIP's maintainers, they have not identified any specific vulnerable applications. Users are advised to upgrade to PJSIP version 2.12 to address these issues, and JFrog's Xray SCA tool provides automated security scanning to identify such vulnerabilities.
Mar 01, 2022 1,122 words in the original blog post.