Many alarming words come to mind when thinking about the Log4j flaws. For X-Force Red hacker Carson Wilber, at the top of the list is "chaotic." After all, the vulnerabilities impacted billions of devices, with millions of attempts to exploit them. How could a scenario like that not be chaotic?

Despite the chaos, however, Carson and the X-Force Red team remained focused. They were determined to find a way to help our clients find and fix the flaws before attackers could get their digital hands on them. With their heads down, the team started building. Digging through open-source repositories, they tested tools that attacked running and static systems to see if they were vulnerable. Carson combined those with his own homegrown scripts, rewriting the tooling almost daily as more vulnerabilities were released. For dynamic systems, those that were up and running, he and the team tested different plug-ins and proprietary approaches for finding vulnerabilities exposing them. They moved in different directions, rushing to solidify a fix.

In two weeks, Carson and the team created a tool, which covers three main areas:

1. Dependencies. Every piece of software has dependencies, or components it integrates with, such as libraries or other software. Carson can use the tool to look at the code in software and its dependencies to decipher where Log4j is being used. He can also identify the version of Log4j that's being used, examining the code itself and binary data to find any of the three released vulnerabilities.
2. Build systems. These publicly available systems provide a list of software dependencies. Carson's tool can scan through the list and parse the data to identify which dependencies use which version of Log4j to determine if they are vulnerable.
3. Fixes. The tool takes the output of the data gathered from the build system, which Carson combines with other systems to find remediation updates that are already available. If an update can't be made, then Carson uses the tool to assess the software code and remove any vulnerable pieces. He can also assess the configuration, which is essential because if certain features are disabled, then the log4j library isn't vulnerable.

The tool can wrap around multiple open-source tools that check source code and compiled programs for the Log4j vulnerability. In a nutshell, it enables X-Force Red to test a large amount of code quickly.

If you are interested in learning more about the tool, the X-Force Red team is happy to set up a one-on-one briefing. Please contact your IBM representative.