Accelerating software distribution is a critical part to enabling enterprise delivery at scale. Throughout the SDLC processes, we’re required to continuously distribute software packages — either to remote development teams as part of CI cycles, to production environments or devices for deployments, or for public downloads by your developers or partners ecosystem. The key attributes of Distribution workflows create network challenges around bandwidth, resiliency and availability.

Accelerating software distribution is a critical part of the modern DevOps stack. Modern application development has created new challenges around distribution at scale, leading organizations to rethink their software distribution infrastructure.

In our recent webinar, Log4j Log4Shell Vulnerability Explained: All You Need To Know, our Senior Director Security Research expert Shachar Menashe shared information on the security issue and how to detect and remediate it. We are happy to share additional information in the following Q&A, based on the questions raised during the webinar.

Last week, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. MITRE assigned CVE-2021-44228 to this vulnerability, which has since been dubbed Log4Shell by security researchers.

Last Thursday, a researcher from the Alibaba Cloud Security Team dropped a zero-day remote code execution exploit on Twitter, targeting the extremely popular log4j logging framework for Java (specifically, the 2.x branch called Log4j2). The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th. MITRE assigned CVE-2021-44228 to this vulnerability, which has since been dubbed Log4Shell by security researchers.

We’re excited to share with you that we have launched a completely new way to start using the JFrog DevOps Platform that you – as a developer – will love. We’ve provided a super-easy, developer-friendly path to discovering how Artifactory and Xray can help you produce safer apps, faster, getting started through the command line shell and IDE that you use every day.

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 11 malicious packages in the PyPI repository, a discovery that shows attacks are getting more sophisticated in their approach.

With all the focus on public cloud infrastructures, it’s easy to believe that there is no room for on-premises deployments of infrastructure. However, on-prem deployments are not likely to completely go away because often it’s just the right thing to do.

As developers, we’re passionate about creating and delivering high-quality software to our end-users and customers. Simply knowing that our software was shipped, deployed, and is being used is a great achievement. And it looks like we did a good job. Everything around us in our lives depends on high-quality software. Software needs to run for us to get water, energy, electricity, transportation, food, etc. Developers have a huge responsibility to keep this software updated and running efficiently.

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times. Today, we will share details about 11 new malware packages that we’ve recently discovered and disclosed to the PyPI maintainers (who promptly removed them).