How does Holm Security support detection of the Log4j (Log4Shell) vulnerability?

This article will be updated when more information is available.

Updates about vulnerability tests

2021-12-28 19:55 GMT +1

HID table updated (marked new), please see the end of the article.

 

Information about the vulnerability Log4j

General information

CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability impacting Log4j version 2. The vulnerability is also known as Log4Shell.

Log4j is a common logging framework for Java-based applications which can be implemented by anyone who chooses to do it. Hence the impact of this vulnerability is widespread and impacts platforms and individual applications. 

Read more about this vulnerability in our blog.

How to scan for this vulnerability

To check if your systems are affected by the Log4j 2 vulnerability you will need to run an Authenticated Network Scan using Holm Security VMP.

You will find detailed information about setting up your authenticated scanning profile in this article:
https://support.holmsecurity.com/hc/en-us/articles/212841809

And you can find more information in this section:
https://support.holmsecurity.com/hc/en-us/sections/360002955531-Authenticated-Network-Scans

If your system is vulnerable, you will find one of the following HID’s in your generated scan report depending on your OS:

  • HID-2-1-371879
  • HID-2-1-371866
  • HID-2-1-026309
  • HID-2-1-939587
  • HID-2-1-341380 (can be run unauthenticated, only on external scan nodes)
  • HID-2-1-341387
  • HID-2-1-341388
  • HID-2-1-341389
  • HID-2-1-371872
  • HID-2-1-341381
  • HID-2-1-341395
  • HID-2-1-341383
  • HID-2-1-341382
  • HID-2-1-5348677 Apache Log4j Version Detection (Windows) Authenticated
  • HID-2-1-5348688 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348682 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348681 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348680 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348683 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348686 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348685 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348689 (run unauthenticated, only on external scan nodes)
  • HID-2-1-939589 
  • HID-2-1-371836 New 28/12
  • HID-2-1-371835 New 28/12
  • HID-2-1-043901 New 28/12
  • HID-2-1-043927 New 28/12
  • HID-2-1-371827 New 28/12
  • HID-2-1-5348693 New 28/12
  • HID-2-1-5348694 New 28/12
  • HID-2-1-371816 New 28/12
  • HID-2-1-5348690 New 28/12
  • HID-2-1-341309 New 28/12
  • HID-2-1-5348691 New 28/12
  • HID-2-1-5348698 New 28/12
  • HID-2-1-5348687 New 28/12
  • HID-2-1-079625 New 28/12
  • HID-2-1-043933 New 28/12
  • HID-2-1-079624 New 28/12
  • HID-2-1-5348675 New 28/12

Released

  • ArcGIS Server Log4j RCE Vulnerability (000026951)- CVE-2021-44228
  • Cisco Identity Services Engine Log4j RCE Vulnerability (CSCwa47133)
  • Cisco Unified Communications Manager IM & Presence Service Log4j RCE Vulnerability (CSCwa47393)
  • Cisco Unified Communications Manager Log4j RCE Vulnerability (CSCwa47249)
  • IBM WebSphere Application Server Log4j RCE Vulnerability(6525706, Log4Shell)  - CVE-2021-44228
  • Ubuntu log4j Vulnerability CVE-2021-44228
  • Elastic Logstash Multiple Log4j Vulnerabilities (Dec 2021)
  • Apache Log4j 2.0.x Multiple Vulnerabilities (Linux/Unix, Log4Shell) - Version Check
  • Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Active Check
  • Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Version Check
  • Apache Log4j 1.2.x RCE Vulnerability (Windows, Dec 2021) - Version Check
  • Apache Log4j 1.2.x RCE Vulnerability (Linux/Unix, Dec 2021) - Version Check
  • Ubuntu: Security Advisory for apache-log4j2 (USN-5192-1)
  • Fedora: Security Advisory for log4j (FEDORA-2021-f0f501d01f)
  • Ubuntu: Security Advisory for apache-log4j2 (USN-5197-1)
  • Apache Log4j 2.0.x Multiple Vulnerabilities (Windows, Log4Shell) - Version Check
  • Fedora: Security Advisory for log4j (FEDORA-2021-66d6c484f3)
  • Fedora: Security Advisory for jansi (FEDORA-2021-66d6c484f3)
  • Apache Archiva < 2.2.6 Multiple Log4j Vulnerabilities (Log4Shell)
  • Apache Tika Server 2.x < 2.2.0 Log4j RCE Vunerability (Log4Shell)

VMware and Windows:

  • Apache Log4j Version Detection (Windows)
  • VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Automation 7.6 and 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Log Insight 8.2, 8.3, 8.4 and 8.6 Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Operations 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Orchestrator 7.6 and 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • Wowza Streaming Engine Log4j RCE Vulnerability - CVE-2021-44228
  • Splunk Enterprise 8.1.x, 8.2.x Log4j RCE Vulnerability - CVE-2021-44228
  • Apache Solr 7.x, 8.x Log4j RCE Vulnerability - CVE-2021-44228
  • Cisco Webex Meetings Server Log4j RCE Vulnerability (CSCwa47283)

To scan for this vulnerability specifically you can set up a scan profile that includes the above HID specifically, for example:

 

mceclip0.png

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.