To help contain the damages that arise from the log4j vulnerability, Code Intelligence collaborated with Google’s Open Source Security Team. Together, we implemented effective bug detectors for Remote Code Execution Vulnerabilities (RCEs) to Google’s open source fuzzing framework, OSS-Fuzz.
Now, Java developers can run continuous security tests for JNDI lookups and RCEs in Google’s infrastructure, with the immense computing power of 100k CPU cores, by onboarding their open source projects to OSS-Fuzz.
Over the past five years, OSS-Fuzz has earned an impressive track record of over 7000 vulnerabilities in 500+ open source projects. In March 2021 Google enabled Java Fuzzing in OSS-Fuzz, by integrating Jazzer, a popular fuzzing engine for JVM-based languages, such as Java, Kotlin and Clojure.
“The integration of Code Intelligence's Java fuzzer into OSS-Fuzz has helped us make fuzz testing accessible to many open-source libraries that are based on Java.”
Google Open Source Security Team Lead
Log4j has shown that vulnerabilities in open source components can have devastating consequences. The right way to brace projects for such vulnerabilities is to test them thoroughly.
Java fuzzers, like Jazzer can now reliably detect JNDI lookups and RCEs. That’s why maintainers of open source projects should now fuzz their Java components thoroughly for these vulnerabilities. Google even rewards developers for fuzzing open-source projects with up to $20 000.
Fuzz Your First Application Today!