SafeLog4j is an open-source tool that can detect and verify vulnerable Log4j applications and protect them.
This project comes after a 0-day exploit in the Java logging library, Log4j (version 2) was discovered on December 9. The vulnerability resulted in Remote Code Execution by logging a certain string.
SafeLog4j works inside an application, blocking the actual vulnerability from occurring. It does not rely on signatures and applications can safely log any data. It uses the instrumentation approach of Contrast Assess and Protect, but scoped to the single Log4j 2 CVE.
According to Contrast Security, the company behind the project, the approach is more accurate than file-based scanners that just look for a Log4j library. It supports multiple copies of Log4j 2, a common occurrence with Java application servers and servlet containers that run many independent applications on a single Java instance.
“When applying application defenses, we encourage those who manage applications and application security to continue the patch cadence. Upgrade your versions of Log4j2 to the secure version when you can. SafeLog4j works, you can use it for as long as you want, but the best defense is to remediate vulnerabilities and make them go away rather than to keep them around,” Erik Costlow, director of developer relations at Contrast Security, wrote in in a blog post.
