Contrast is releasing SafeLog4j, a free and open-source, general purpose tool that can detect/verify vulnerable log4j applications and protect them. The utility works with user-developed and third party applications, does not require source code, and works against WAF bypass attacks.
The utility is designed to provide an immediate defense, giving teams the opportunity to alter their own applications or plan upgrades of vendor applications. Anyone can leverage this tool without cost for any duration of time.
How SafeLog4j Works
SafeLog4j works inside the application, blocking the actual vulnerability from occurring. It does not rely on signatures and applications can safely log any data.
The utility uses the same proven Java instrumentation approach as Contrast Assess and Protect, but scoped to the single Log4j2 CVE. It connects to an application, verifies the version and exploitability of the vulnerability using a safe payload, and takes action if and only if it’s necessary.
Benefits of SafeLog4j
This works for any application, internal or external. The application that you defend does not need to be internet facing and you do not need to run attack payloads on your private networks. When an application restarts, you do not need to patch it again. You may also remove the patch any time once you have secured your Log4j2 version.
This can be placed on a system or container to patch any future Java processes that start on that host.
The approach is more accurate than file-based scanners that simply look for a log4j library. Scanner based approaches will miss many fat JARs, a common technique that moves Java class files. When fat JARs are present, scanning approaches will report that applications are secure when they are not.
Shaded JARs are supported. Shading is a technique that application or library developers do to rename classes, often to avoid a compatibility conflict with similar libraries. If an application uses a shaded log4j2, signature-based approaches will report that applications are secure when they are not.
Supports multiple copies of Log4j2, a common occurrence with Java application servers and servlet containers that run many independent applications on a single Java instance.
Complete usage instructions appear on the SafeLog4j GitHub page. The tool operates in two modes:
- Agent mode, connecting to Java applications as they start.
- Command mode, connecting to running Java applications to patch them without a restart needed.
When using command mode, we recommend using agent mode on the system to maintain patches whenever the application is restarted.
Getting the Full Solution
When applying application defenses, we encourage those who manage applications and application security to continue the patch cadence. Upgrade your versions of Log4j2 to the secure version when you can. SafeLog4j works, you can use it for as long as you want, but the best defense is to remediate vulnerabilities and make them go away rather than to keep them around.
For general purpose security testing and protection tools that work at Enterprise scale, customers should explore the Contrast Security Code Security Platform. The log4j crisis has shown that Contrast’s customers were the best prepared to respond to this and will be the best prepared for future, inevitable incidents.
SafeLog4j builds on work similar to the AWS Corretto team’s hotpatch, used to secure the AWS infrastructure. SafeLog4j expands on this work to verify exploitability and simplify usage.
We welcome developer participation on the GitHub project where we’re housing this tool. Please join us here.