Advanced Vulnerability Scanning for Open Source Software: Detection and Mitigation of Log4j Vulnerabilities

TL;DR

This paper presents an advanced, automated Log4j vulnerability scanner that evaluates real exploitability, reduces false positives, and integrates into development workflows for timely vulnerability detection and mitigation.

Contribution

The study introduces a novel Log4j scanning tool that assesses actual exploitability and provides targeted mitigation, improving over existing version-based detection methods.

Findings

Achieved 91.4% accuracy in vulnerability detection

Successfully integrated with GitHub Actions for continuous scanning

Demonstrated effectiveness across 28 open-source projects

Abstract

Automated detection of software vulnerabilities remains a critical challenge in software security. Log4j is an industrial-grade Java logging framework listed as one of the top 100 critical open source projects. On Dec. 10, 2021 a severe vulnerability Log4Shell was disclosed before being fully patched with Log4j2 version 2.17.0 on Dec. 18, 2021. However, to this day about 4.1 million, or 33 percent of all Log4j downloads in the last 7 days contain vulnerable packages. Many Log4Shell scanners have since been created to detect if a user's installed Log4j version is vulnerable. Current detection tools primarily focus on identifying the version of Log4j installed, leading to numerous false positives, as they do not check if the software scanned is really vulnerable to malicious actors. This research aims to develop an advanced Log4j scanning tool that can evaluate the real-world exploitability of the software, thereby reducing false positives. Our approach first identifies vulnerabilities and then provides targeted recommendations for mitigating these detected vulnerabilities, along with instant feedback to users. By leveraging GitHub Actions, our tool offers automated and continuous scanning capabilities, ensuring timely identification of vulnerabilities as code changes occur. This integration into existing development workflows enables real-time monitoring and quicker responses to potential threats. We demonstrate the effectiveness of our approach by evaluating 28 open-source software projects across different releases, achieving an accuracy rate of 91.4% from a sample of 140 scans. Our GitHub action implementation is available at the GitHub marketplace and can be accessed by anyone interested in improving their software security and for future studies. This tool provides a dependable way to detect and mitigate vulnerabilities in open-source projects.