TY - GEN
T1 - Advanced Vulnerability Scanning for Open Source Software to Minimize False Positives
AU - Wen, Victor
AU - Peng, Zedong
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - Automated detection of software vulnerabilities remains a critical challenge in the software security domain. Log4j is an industrial-grade Java logging framework and is listed as one of the top 100 critical open source projects. On Dec. 10, 2021 a severe vulnerability Log4Shell was disclosed to the public before being fully patched with Log4j2 version 2.17.0 on Dec. 18, 2021. However, to this day about 4.1 million, or 33 percent of all Log4j downloads in the last 7 days still contain vulnerable packages. Many Log4Shell scanners have since been created to detect if a user's installed Log4j version is vulnerable. Current detection tools primarily focus on identifying the version of Log4j installed, leading to numerous false positives, as they do not check if the software scanned is really vulnerable to malicious actors resulting in some false positive results. This research aims to develop an advanced scanner that not only detects Log4j versions but also evaluates the real-world exploitability of the software, thereby reducing false positives and more effectively identifying software at high risk of severe security breaches. This paper presents the methodology of this scanner, offering a novel approach to vulnerability detection that enhances the security posture of software systems utilizing Log4j.
AB - Automated detection of software vulnerabilities remains a critical challenge in the software security domain. Log4j is an industrial-grade Java logging framework and is listed as one of the top 100 critical open source projects. On Dec. 10, 2021 a severe vulnerability Log4Shell was disclosed to the public before being fully patched with Log4j2 version 2.17.0 on Dec. 18, 2021. However, to this day about 4.1 million, or 33 percent of all Log4j downloads in the last 7 days still contain vulnerable packages. Many Log4Shell scanners have since been created to detect if a user's installed Log4j version is vulnerable. Current detection tools primarily focus on identifying the version of Log4j installed, leading to numerous false positives, as they do not check if the software scanned is really vulnerable to malicious actors resulting in some false positive results. This research aims to develop an advanced scanner that not only detects Log4j versions but also evaluates the real-world exploitability of the software, thereby reducing false positives and more effectively identifying software at high risk of severe security breaches. This paper presents the methodology of this scanner, offering a novel approach to vulnerability detection that enhances the security posture of software systems utilizing Log4j.
KW - Open source software
KW - Vulnerability detection
KW - log 4j
UR - https://www.scopus.com/pages/publications/85207835689
U2 - 10.1109/IRI62200.2024.00041
DO - 10.1109/IRI62200.2024.00041
M3 - Conference contribution
AN - SCOPUS:85207835689
T3 - Proceedings - 2024 IEEE International Conference on Information Reuse and Integration for Data Science, IRI 2024
SP - 156
EP - 157
BT - Proceedings - 2024 IEEE International Conference on Information Reuse and Integration for Data Science, IRI 2024
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 25th IEEE International Conference on Information Reuse and Integration for Data Science, IRI 2024
Y2 - 7 August 2024 through 9 August 2024
ER -