Operations | Monitoring | ITSM | DevOps | Cloud

February 2022

Customizing the JFrog Xray Horizontal Pod Autoscaler

In cloud native computing (Kubernetes in our case), there is a requirement to automatically scale the compute resources used for performing a task. The autoscaling cloud computer strategy allows to dynamically adjust the active number of application servers and allocated resources instead of responding manually in real-time to traffic surges that necessitate more resources and instances.

How to set up a Private, Remote and Virtual Go Registry

The simplest way to manage and organize your Go dependencies is with a Go Repository. You need reliable, secure, consistent and efficient access to your dependencies that are shared across your team, in a central location. Including a place to set up multiple registries, that work transparently with the Go client. With the JFrog free cloud subscription, including JFrog Artifactory, Xray and Pipelines, you can set up a free local, remote and virtual Go Registry in minutes.

Malware Civil War - Malicious npm Packages Targeting Malware Authors

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 25 malicious packages in the npm repository that were picked up by our automated scanning tools.

Xray: New Year, New Security Features

As part of our ongoing efforts to offer you the most comprehensive and advanced SDLC protection capabilities, JFrog continues to boost the capabilities of our Xray security and compliance product. In this blog, we offer an overview of recent Xray improvements, all aimed at helping you fortify your software, reduce risk, scale security, streamline compliance and accelerate releases with confidence.

New Year, New Features in Artifactory

Let’s start 2022 off the right with new features and updates that will extend JFrog Artifactory’s power and reach in addressing challenges with managing your binaries from development to production. Join JFrog’s Irena Guy Product Manager, Evgeny Karasik Senior Product Manager, Ben Ifrach Product Manager, and Eyal Ben Moshe Development Manager, Ecosystem. In this session, you'll learn about the new updates.

CVE-2021-44521 - Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

JFrog’s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4). This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.

JFrog Discloses 3 Remote Access Trojans in PyPI

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to detect and avert potential software supply chain security threats. After validating the findings, the team reports any security vulnerabilities or malicious packages discovered to repository maintainers and the wider community.

Our Solution for Scalable Multi-Region SaaS Deployment

Just like many other production DevOps engineering teams, our JFrog team deploys new version releases several times a day to AWS, Azure and GCP, across more than 20 cloud regions. This process used to take us many hours and could have even failed if it was done alongside maintenance by other teams.

New Year, New Features in Xray

Let’s start 2022 off the right with new features and updates that will extend JFrog Xray’s power and reach in addressing challenges with securing your binaries from development to production. Join Sarit Tager, VP Product Security as she discusses how Xray provides intelligent supply chain security and compliance at DevOps speed. JFrog Xray is a software composition analysis (SCA) solution that scans your open source software (OSS) dependencies for security vulnerabilities and license compliance issues.

CVE-2021-44142: Critical Samba Vulnerability Allows Remote Code Execution

Recently, a critical out-of-bounds vulnerability, assigned to CVE-2021-44142, was disclosed in Samba versions prior to 4.13.17. The Samba vulnerability carries a critical CVSS of 9.9 and allows attackers to remotely execute code on machines running a Samba server with a vulnerable configuration. The vulnerability was disclosed as part of the Pwn2Own Austin competition where researchers are challenged to exploit widely-used software and devices with unknown vulnerabilities.

Don't Miss Out: Highlights from DevOps Cloud Days 2022

If you didn’t attend our recently concluded DevOps Cloud Days online conference, you missed a learning event that those who did called “fantastic” and “meaningful.” In written feedback, developers, operations staff, and security admins who attended described the presentations as “powerful,” “inspiring” and “excellent.” Fortunately, it wasn’t your last chance to share that fruitful experience with us.

DevOps Roundtable with Transact Campus

Join us for an exclusive round table event where you will have the opportunity to ask Mrinal Virnave, Senior Director of Software Architecture at Transact Campus & JFrog’s own technical expert Bill Manning your most pressing DevOps questions, like: During our sit down, Mrinal Virnavewill elaborate on how his team increased productivity by transforming their developer experience and creating a centralized and secure process.

Design Considerations for Software Distribution to Edge & IoT Applications

Make no mistake: You can’t overlook software distribution in DevOps. At risk are the reliability, security and speed of your software releases — and your business itself. This is especially true in enterprises that are releasing across numerous edge endpoints or IoT devices. As your releases’ cadence and payload grow, software distribution challenges multiply, particularly at the edge.

The Impact of CVE-2022-0185 Linux Kernel Vulnerability on Popular Kubernetes Engines

Last week, a critical vulnerability identified as CVE-2022-0185 was disclosed, affecting Linux kernel versions 5.1 to 5.16.1. The security vulnerability is an integer underflow in the Filesystem Context module that allows a local attacker to run arbitrary code in the context of the kernel, thus leading to privilege escalation, container environment escape, or denial of service.