Red Hat and Oracle announced the general availability of Red Hat OpenShift on Oracle Cloud Infrastructure (OCI) Compute Virtual Machines (VMs).
Oxeye unveiled an open-source initiative with the introduction of Ox4Shell.
The powerful and free open-source payload deobfuscation tool is in a series of solutions to be developed by Oxeye to assist developers, AppSec professionals, and the open-source community. Ox4Shell is designed to confront what some are calling the “Covid of the Internet,” known as the Log4Shell zero-day vulnerability. To counter a very effective obfuscation tactic used by malicious actors, Oxeye’s new open-source tool (available on GitHub) exposes hidden payloads which are actively being used to confuse security protection tools and security teams.
As reported by experts, organizations globally continue to experience remote code attacks and the exposure of sensitive data due to the pervasive Log4Shell vulnerability. Discovered in Apache’s Log4J, a logging system in widespread use by web and server application developers, the threat makes it possible to inject text into log messages or log message parameters, then into server logs which can then load code from a remote server for malicious use. Apache has given Log4Shell a CVSS severity rating of 10 out of 10, the highest possible score. Since then, researchers found a similar vulnerability in the popular H2 database. The exploit is simple to execute and is estimated to affect hundreds of millions of devices.
As part of a new open-source initiative for 2022, Oxeye is unveiling this in a series of contributions designed to strengthen security efforts by deobfuscating payloads often coupled with Log4J exploits. Ox4Shell exposes obscured payloads and transforms them into more meaningful forms to provide a clear understanding of what threat actors are trying to achieve, allowing the concerned parties to take immediate action and resolve the vulnerability.
The Log4j library has a few unique lookup functions that permit users to look up environment variables, Java process runtime information, and so forth. These enable threat actors to probe for specific information that can uniquely identify a compromised machine they’ve targeted. Ox4Shell enables you to comply with such lookup functions by feeding them mock data that you control.
“Difficulties in applying the required patching to the Log4Shell vulnerability means this exploit will leave gaps for malicious attacks now and in the future. The ability to apply obfuscation techniques to payloads, thereby circumventing the rules logic to bypass security measures also makes this a considerable challenge unless the proper remedy is applied,” said Daniel Abeles, Head of Research at Oxeye. Deobfuscation will be critical to understanding the true intention(s) of attackers. Ox4Shell provides a powerful solution to address this and as a supporter of the open-source community ...”
Industry News
The Software Engineering Institute at Carnegie Mellon University announced the release of a tool to give a comprehensive visualization of the complete DevSecOps pipeline.
Synopsys has entered into a definitive agreement with Clearlake Capital Group, L.P. and Francisco Partners.
Postman released v11, a significant update that speeds up development by reducing collaboration friction on APIs.
Sysdig announced the launch of the company’s Runtime Insights Partner Ecosystem, recognizing the leading security solutions that combine with Sysdig to help customers prioritize and respond to critical security risks.
Nokod Security announced the general availability of the Nokod Security Platform.
Drata has acquired oak9, a cloud native security platform, and released a new capability in beta to seamlessly bring continuous compliance into the software development lifecycle.
Amazon Web Services (AWS) announced the general availability of Amazon Q, a generative artificial intelligence (AI)-powered assistant for accelerating software development and leveraging companies’ internal data.
Red Hat announced the general availability of Red Hat Enterprise Linux 9.4, the latest version of the enterprise Linux platform.
ActiveState unveiled Get Current, Stay Current (GCSC) – a continuous code refactoring service that deals with breaking changes so enterprises can stay current with the pace of open source.
Lineaje released Open-Source Manager (OSM), a solution to bring transparency to open-source software components in applications and proactively manage and mitigate associated risks.
Synopsys announced the availability of Polaris Assist, an AI-powered application security assistant on the Synopsys Polaris Software Integrity Platform®.
Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.
Azul announced that Azul Intelligence Cloud, Azul’s cloud analytics solution -- which provides actionable intelligence from production Java runtime data to dramatically boost developer productivity -- now supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.