Google enables continuous testing for Log4j vulnerabilities with OSS-Fuzz

Google, together with security company Code Intelligence, will advance its OSS-Fuzz service to continuously test Log4j for vulnerabilities. The Jazzer fuzzing engine detects whether JNDI lookups are taking place.

With its adjustments to the free fuzzing service OSS-Fuzz, Google wants to offer open source developers the opportunity to make their code more secure themselves. The continuous fuzzing of Log4j is a first step. In the coming year, the Google Open Source Security Team wants to work on better automated detection of vulnerabilities such as Log4Shell.

With fuzzing, companies automatically test software for bugs by bombarding it with inputs. In 2016, Google introduced the OSS-Fuzz service that allows projects to continuously test for errors. According to the company, more than 500 open source projects have used the service and more than 7,000 vulnerabilities have been found. At the beginning of this year, Google already partnered with Code Intelligence to integrate the Jazzer fuzzing engine into OSS-Fuzz to continuously monitor projects based on Java Virtual Machine languages.

Both companies are now modifying that engine to detect Java Naming and Directory Interface or JNDI lookups that are running. Such look-ups can lead to remote exploitation of vulnerabilities, potentially leading to malicious code execution or data leakage. The security team is targeting Log4j because of the critical vulnerability in the popular logging library revealed last week. Security companies have sounded the alarm about this Log4Shell vulnerability.