On December 9th, 2021, the Remote Code Execution (RCE) CVE-2021-44228 in Apache log4j 2 was published and started seeing active exploitation soon after. Since then, development teams have been working hard and tirelessly, trying to fix the issue to prevent (further) damage.
Yes – CI Fuzz version 2.28.0 and up can find this vulnerability if log4j is included in the list of libraries to instrument for fuzzing. Due to the high interest in this class of vulnerabilities, we are making the relevant bug detector available to the open-source community. With Jazzer, our open-source fuzzing engine that is part of Google’s OSS fuzz, you can now find the log4j vulnerability as well as similar RCE issues in the same way as with our core product CI Fuzz.
Since Jazzer is part of OSS-Fuzz, all integrated open-source projects written in Java and other JVM-based languages, are now continuously searched for similar vulnerabilities. A fuzz target for log4j that reproduces the vulnerability can be found here.
Fabian Meumertzheim (@fhenneke) is a Senior Software Engineer at Code Intelligence. A mathematician by education, he has always been passionate about IT security. He maintains and contributes to multiple open-source projects, such as Chromium, system, and Android Password Store, all with the aim of making security unobtrusive and ubiquitous.