The Log4j vulnerabilities--which were shown in the last several days--is not only concerning by how widespread it is, but also how deeply embedded it is in the software we use and how difficult it is to detect.
For this reason, it is worth noting that there is a scanning tool to prevent and detect the serious threat.
Log4j Vulnerabilities Scanner
Vulnerability research lead at Rezilion Yotam Perkal stated through Rezilion that "the biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files - which means that a shallow search for the file won't find it."
"Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages," Parkal explained.
In relation to this, CISA, along with a slew of other cybersecurity firms and researchers, launched their Log4J scanner, per ZDNet.
The open-source Log4j scanner is based on scanners built by other open-source contributors and is intended to assist enterprises in identifying potentially susceptible web services affected by the Log4j vulnerabilities.
CISA said that they have worked with other researchers such as Philipp Klaus and Moritz Bechler to modify a Log4J scanner built by security startup FullHunt.
Technically, the repository offers a scanning solution for CVE-2021-44228 and CVE-2021-45046.
For those who are not familiar with CVE-2021-44228, it is an unauthenticated RCE flaw that permits total system takeover on Log4j 2.0-beta9 to 2.14.1 platforms. It is also known as Log4Shell or LogJam.
Cyber Kendra also noted that CVE-2021-44228 concerns the default settings of a variety of Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink and others, as previously reported.
Moreover, CISA stated that DNS callback is supported for vulnerability detection and validation, as well as fuzzing for HTTP POST Data parameters, fuzzing for JSON data parameters and support for lists of URLs.
WAF Bypass payloads are also included, as well as fuzzing for over 60 HTTP request headers.
Similar to CISA's Log4j scanner, CrowdStrike also launched CrowdStrike Archive Scan Tool, or "CAST," a free Log4J scanner.
Where to Get Log4j Scanner?
In terms of how massive Log4j vulnerabilities are, our previous report stated that one Check Point researcher remarked that "I cannot overstate the seriousness of this threat," noting that the vulnerability had already resulted in over 850,000 intrusions in his company less than a week.
While for its severity scale, Log4j received a 10 out of 10 rating.
Through the CISA and CrowdStrike Log4j scanner, there is a possibility to lessen the number of intrusions.
To access and download CISA's Log4j scanner, head to this website.
On the other hand, Rezilion put the nine most popular scanners to the test against a dataset of packaged Java files including Log4j, which was contained and packed in various formats.
While some scanners performed better than others, none were able to detect all formats, according to Perkal. He added that their study shows that "the limitations of static scanning in detecting Log4j instances, and highlights the need for code-level visibility in runtime memory where the code isn't packaged or nested."
Despite the benefit that the scanner brings, the said limit also serves as a reminder that scanners still have blind spots.
Related Article: Cybersecurity Warning: 2nd Dangerous Apache Log4j Vulnerability Discovered, Is There a Fix?
