What is Log4j?
Log4J is a widely used Java library for logging error messages in applications. It is used in enterprise software applications, including those custom applications developed in-house by businesses, and forms part of many cloud computing services.
Where is Log4j used?
The Log4j 2 library is used in enterprise Java software and according to the UK’s NCSC is included in Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift.
Tools
✓ CVE-2021–44228 — Apache log4j up to 2.14.1 JNDI LDAP Server Lookup format string
Apache log4j 2 is a Java-based logging framework (open-source) that is leveraged within numerous Java applications around the world. Compared with the original log4j 1. X release, log4j 2 addressed issues with the previous release and offered a plugin architecture for users. Apache Log4j 2 became the mainstream version on August 5th of 2015, and all the previous version log4j users were recommended to upgrade to log4j 2. Apache log4j is widely used in several popular software applications, like ElasticSearch, Apache Struts, Kafka, Redis, and others.
✓ Crashtest Security
Crashtest Security develops market-leading vulnerability scanning software for web applications — enterprise-grade with a user-friendly interface.
✓ log4j-scan
A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021–44228.
✓ Arctic Wolf Log4Shell Deep Scan
The Arctic Wolf Log4Shell Deep Scan is designed to detect Java application packages subject to CVE-2021–44228 and CVE-2021–45046.
✓ Huntress Log4Shell Vulnerability Tester
This repo holds the source for the HTTP and LDAP servers hosted here. Both services are hosted under one Java application built here with maven. We have released the source code of this application to promote transparency, and let researchers verify for themselves that our service does nothing nefarious.
✓ Qualys Web Application Scanning
Qualys Web Application Scanning (WAS) is a cloud-based service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to cover thousands of
websites. Qualys WAS is bundled with additional scanning technology to
proactively monitor websites for malware infections, sending alerts to website
owners to help prevent blacklisting and brand reputation damage.
✓ CyberCNS Vulnerability Scanner
CyberCNS is a vulnerability management platform purpose built in collaboration with many of the nation’s security first MSPs.
✓ Log4j Detection
You can use this YARA rule to detect the presence of Log4j and then determine whether it is vulnerable to Log4Shell (CVE-2021–44228) or not. If it is, then you can use mitigations listed below to handle this situation. In the Package folder you can find a collected package which includes YARA executable, the rule file (log4j.yar), and cmd\bash scripts for running it on Windows and Linux systems.
✓ CAST: CrowdStrike Archive Scan Tool
This tool is a quick scanner to walk filesystems looking for vulnerable versions of log4j. Please see our blog post here for more detailed discussion. Currently, it scans a given set of directories for JAR, WAR, ZIP, or EAR files, then scans for files therein matching a known set of checksums.
✓ log4j-honeypot-flask
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021–44228. This can be installed on a workstation or server, either by running the Python app/app.py script directly (you’ll need python3, Flask, and Requests) or as a Docker container.
✓ Cyrisma
Cyrisma removes cybersecurity complexity for MSP’s, MSSP’s, Information Security Consulting Firms, Incident Response Firms and many more!
✓ Log4Shell Enumeration, Mitigation and Attack Detection Tool
This is a PowerShell-based script that can be run on a Windows system (it has been neither written for, nor tested with, other platforms).
✓ Sonatype Vulnerability Scanner
The Remote Code Execution exploit in log4j (CVE-2021–44228) is especially dangerous as it can run any code via your software. Its widespread popularity means it’s pervasive throughout the Java open source ecosystem. Immediate action is needed to protect your software supply chain.
✓ Tanium Log4j zero-day Vulnerability
Tanium can help you scan, search and hunt down Log4j exposure you didn’t even know existed. These modules give you a starting point, narrow down the search and pinpoint exact locations of Log4j.
✓ Log4j Vulnerability Tester
This web-based tool can help identify server applications that may be affected by the Log4Shell (CVE-2021–44228, CVE-2021–45046) vulnerability.
✓ CVE-2021–44228_scanner
Applications that are vulnerable to the log4j CVE-2021–44228 issue may be detectable by scanning jar, war, and ear files to search for the presence of JndiLookup.class.
✓ Tr-3 Vulnerability Scanning
TR-3 cloud-based vulnerability scanning, the latest innovation from Carson & SAINT, the company that built the award-winning SAINT Security Suite. This easy-to-use, cost-effective, cloud-based scanning service helps you find vulnerabilities. For each exposure, Tr-3 reports provide specific, actionable information that allows you to mitigate risk. We specifically designed it with small business and small MSP needs in mind.
✓ Log4j Scanner
This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021–44228 & CVE-2021–45046). The information and code in this repository is provided “as is” and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community. This is not intended to be a 100% true positive solution; False negatives may occur.
Resources
Blogs
★ Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
★ Check for Log4j vulnerabilities with this simple-to-use script
