Log4j Vulnerability: Unforeseen Risk - CVE-2021-44228 Identification and Action Plan
A critical zero-day vulnerability affecting Apache Log4j, known as Log4Shell, was disclosed on December 9, 2021. In response, Qualys has been actively updating its vulnerability detection and management tools to help organisations identify and address this issue. Here's a rundown of the latest developments.
Detection and Analysis
Qualys uses a variety of commands to check for the presence of the Log4j vulnerability. For instance, on Unix-like systems, commands such as , , , and are employed to scrutinise the log4j core jar for the presence of certain classes.
Authenticated and Unauthenticated Checks
Qualys has two QIDs (Qualys Identifiers) for the Log4j vulnerability: QID 376157 and QID 730297. While QID 376157 is an authenticated check that queries the OS package managers on the target to find log4j packages with a version less than 2.15.0, QID 730297 is a remote unauthenticated check that sends a HTTP GET to the remote web server and tries to inject a payload to exploit the vulnerability.
However, it's important to note that QID 376157 does not check for the Log4j1.x version, and it may not be detected if log4j is embedded inside other binaries such as jar, war, etc., or if log4j is not installed via the package manager. Moreover, on Windows systems, QID 376157 may not be detected if access to WMI is restricted or log4j is embedded inside other binaries.
Enhanced Reporting and Support for Windows
To provide more comprehensive reporting, an update to QID 376157 has been made to support Windows Operating System. This update uses WMI to enumerate the running process and identify log4j included in a process via the command line. Additionally, another update has been made to find log4j installs using the command and to identify log4j running processes using the command .
Filtering and Summary
On Linux, QID 376187 will now filter out instances where the JMSAppender class is not found. QID 45515 parses the output of (on Windows) and (on Linux/Unix) to list all log4j related instances discovered on the Host. For a scan summary, QID 48201 provides a comprehensive overview of the Qualys Log4j Scan Utility.
False Negatives and Recommendations
If there are false negatives for remote detection QID 730297 on higher ports, bidirectional communication between scanner and target on all ports is recommended. If access to WMI is restricted or the command is not available on the target, QID 376157 may not be detected. In such cases, it's advisable to employ alternative methods for detection and analysis.
Origins of Log4j
The Log4j library, a widely used Java application component, was developed by the Apache Software Foundation.
In conclusion, Qualys continues to update its tools to help organisations identify and address the Log4j vulnerability. As more vendors release updates for this critical issue, more QIDs are expected to be created for this CVE. It's crucial for organisations to stay vigilant and proactive in their efforts to secure their systems against this and other vulnerabilities.
Read also:
- MRI Scans in Epilepsy Diagnosis: Function and Revealed Findings
- Hematology specialist and anemia treatment: The role of a hematologist in managing anemia conditions
- A Week in Pixelized Realm: The Transformation of the World in Digital Form
- Enhancing the framework or setup for efficient operation and growth
