Using Private StackShare To Detect & Mitigate Log4Shell

We recently announced the release of Vulnerabilities Reports in Private StackShare. It's a single view of all the open vulnerabilities across all your repos/tech stacks. You can now use this report to understand whether or not the latest Log4j vulnerability, now named "Log4Shell", is present in any of your repos and tech stacks with a simple search.

What is Log4Shell/Log4j?

Log4J is an open source Java-based logging utility that allows you to control logging behavior and is often used as an audit logging framework. Log4j is used by thousands, possibly even millions of apps.

Log4Shell is a critical zero-day vulnerability that surfaced on Thursday, December 9th 2021, when it was exploited in the wild in remote-code compromises against Minecraft servers through Log4j. This vulnerability affects some of the biggest companies on the Internet and the list of affected web properties is only expected to grow as more discover that they are vulnerable.

Using Private StackShare to understand if Log4shell affects your tech stacks

To see if Log4Shell affects your repos/tech stacks and applications, simply install the Private StackShare GitHub App, once installed you'll be redirected back to StackShare to your Dashboard. Click on the Vulnerability Report:

Once you're on the Vulnerability Report, you'll see a list of all the open vulnerabilities that exist across all the Git repos you've connected. Depending on how many repos you've connected, this could be a long list. To quickly check if Log4Shell is present in your repos, copy the official CVE ID, CVE-2021-44228, and paste it in the search bar at the top of the report. You'll see the log4j vulnerability in the list if it's present in any of your repos. After you click on the vulnerability item, you'll see details about it, along with the affected stacks and a link to the file that specifies the version of log4j that contains the vulnerability in that specific repo:

Once identified, you can then use the report to understand what version to upgrade log4j to in order to patch the vulnerability- listed as "1st patched":

Make the necessary updates to the affected repos, and you've successfully mitigated Log4Shell.

Sign up for Private StackShare for Free today to instantly understand if Log4Shell affects your repos and tech stacks.