Operations | Monitoring | ITSM | DevOps | Cloud

CVE-2021-37136 & CVE-2021-37137 - Denial of Service (DoS) in Netty's Decompressors

The JFrog Security research team has recently disclosed two denial of service issues (CVE-2021-37136, CVE-2021-37137) in Netty, a popular client/server framework which enables quick and easy development of network applications such as protocol servers and clients. In this post we will elaborate on one of the issues – CVE-2021-37136.

New Xray Features Enhance Workflows, Productivity and UX

The recently released JFrog Xray versions 3.31 & 3.32 have brought to the table a raft of new capabilities designed to improve and streamline your workflows, productivity and user experience. The new features, detailed below, solidify Xray as the optimum universal software composition analysis (SCA) solution for JFrog Artifactory that’s trusted by developers and DevSecOps teams to identify and eliminate open source software vulnerabilities and license compliance violations from their releases.

JFrog Cold Artifact Storage: Retention Policies for Your Binaries

With the trend towards smaller but more frequent software releases, your binaries and artifacts keep accumulating faster. Our enterprise customers each maintain an average of 20 million unique artifacts, adding 130% more each year. Eventually, a clutter of outdated binaries forms, and fInding the binaries you need becomes unwieldy, difficult, and confusing. Over time, your artifact repository’s performance can suffer from degradation.

CVE-2020-27304 - RCE via Directory Traversal in CivetWeb HTTP server

JFrog has recently disclosed a directory traversal issue in CivetWeb, a very popular embeddable web server/library that can either be used as a standalone web server or included as a library to add web server functionality to an existing application. The issue has been assigned to CVE-2020-27304.

GitLab vs JFrog: Who Has the Right Stuff?

Like the historic space race, the competition to plant the flag of DevOps is blasting off. According to market intelligence firm IDC, global business will invest $6.8 trillion in digital transformation by 2023. Yet research also suggests that 70 percent of them will fail to meet their goals. JFrog was the first company to offer a universal, hybrid, end-to-end DevOps platform.

Don't let Prometheus Steal your Fire

Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system’s state in addition to observation of hardware and software metrics such as memory usage, network usage and software-specific defined metrics (ex.

Topio + JFrog | Scaling Continuous Software Delivery for Edge & IoT Applications

Enterprises came to expect that software that underpins their business can change at the speed of the market. Cloud-native technologies and modern DevOps tools enable enterprises to continuously deploy software updates across data centers and public clouds. But things often get slowed down when trying to update applications across mixed environments and large fleets of edges and IoT devices.

JFrog and Upswift: Bringing IoT Software Updates to DevOps Upswift Acquistion

JFrog has acquired Upswift to bring the world of connected devices into the DevOps pipeline! Managing fleets of devices and edge applications remotely - including over-the-air (OTA) updates, security, monitoring, controlling and more - has quickly become unwieldy for most companies, with growth of connected devices expected to reach 24 billion in 2026. But, most of today’s DevOps solutions are not optimized or built to deliver software updates to distributed edge and IoT environments.

Proceed With Care: How to Use Approval Gates in Pipelines

While DevOps automation aims to eliminate most human intervention in the CI/CD DevOps pipeline, you can’t always cut people completely out of the process. There are still times when you’ll want an expert, hands-on review to assure that everything is as it should be before allowing your pipeline to proceed further.

23andMe's Yamale Python code injection, and properly sanitizing eval()

JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in Yamale, a popular schema validator for YAML that’s used by over 200 repositories. The issue has been assigned to CVE-2021-38305.