Operations | Monitoring | ITSM | DevOps | Cloud

The JNDI Strikes Back - Unauthenticated RCE in H2 Database Console

Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading). H2 is a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk.

Open Source Projects Contribute to in 2022

With a nearly endless array of open source projects available to contribute to these days, knowing where to start contributing can feel easier said than done. Need some inspiration? Whether you’re new to the world of open source, are gearing up for Open Source Fridays in the new year, or just want to see what other folks are excited about, check out a few of our favorite open source projects to contribute to in 2022.

Log4j Detection with JFrog OSS Scanning Tools

The discovery of the Log4Shell vulnerability in the ubiquitous Apache Log4j package is a singular event in terms of both its impact and severity. Over 1 million attack attempts exploiting the Log4Shell vulnerability were detected within days after it was exposed, and it may take years before we see its full impact.

Announcement: Pleco - the open-source Kubernetes and Cloud Services garbage collector

TLDR; Pleco is a service that automatically removes Cloud managed services and Kubernetes resources based on tags with TTL. When using cloud provider services, whether using UI or Terraform, you usually have to create many resources (users, VPCs, virtual machines, clusters, etc...) to host and expose an application to the outside world. When using Terraform, sometimes, the deployment will not go as planned.

Yes, Open Source Is Sustainable

Two months ago, we announced our annual investment in open source maintainers, mostly folks whose work we depend on to deliver Sentry to you, plus a few research and hobby projects that our employees put on our radar. Two days ago, six of these maintainers joined us for a one-hour panel called “The Future of Open Source: Is It Sustainable?” I co-hosted with Jessica Lord, Product Manager of GitHub Sponsors.

Log4j gets added to the code "wall of shame."

It seems that every few weeks, we are alerted to a new significant security issue within one of the plethoras of code elements that are widely used. The same pundits discuss the same range of concerns with open-sourced code each time. The list of “usual suspects” is long, and I know I could add at least 20 additional “reasons” to this list without thinking about it too hard. I’m not sure that open-sourced code is riskier than proprietary developed code. There I said it.