Log4j is the de facto logging library for all Java applications, as Log4j is used in most Java-based applications. The challenge is that Java applications that use the log4j-vulnerable library can be coded, packaged, and deployed using different methods - this introduces a challenge for detection logic.
Qualys has released multiple QIDs (see blog for details) to detect Log4Shell. Those QIDs detection logic assumes best practices were used to embed the log4j library inside a Java application, however, as explained, it is not guaranteed that developers will use best practices to embed the Log4j library in their code, as such an in-depth approach for detection is required to complement those QIDs.
To help our customers, the Qualys team has created an out-of-band script for Linux and a Utility for Windows which can be run on Windows and Linux and perform a "deep" file scan to find all instances of a vulnerable log4j library. The benefit of such a tool is that it should find all instances of a vulnerable log4j library regardless of the Java application coding, packaging, and deployment method used. The disadvantage is that this tool performs a "deep" search on the entire hard drive, including archives, which is a time-consuming and CPU-consuming task. As such, we recommend running this tool "out-of-band".
Note that any Java application may be vulnerable to Log4Shell, Java client applications may also be vulnerable as this vulnerability is not exclusive for web servers.
Qualys has open-sourced the detection utility/script to help even if you are not a Qualys customer. The script, source code, and binaries are available on GitHub:
Windows: https://lnkd.in/gA9HpSBH
Linux: https://lnkd.in/gmWMiTe5
How it works:
The utility/script scans the entire hard drive and looks for file JndiLookup.class (this file indicates that log4j with the vulnerability may be present)
Once this file is found, the utility/script validates the version of the log4j jar based on its manifest.
The utility/script will search for this class inside all Jars, nested Jars, and other Java-based archives.
Vulnerable log4j jars will be reported to file.
QID to process utility output
A new QID (QID 376160) has been created to parse the output of these scripts.
The QID reads the output as written by the script/utility and reports the findings.
Note: The QID requires the utility/script to run on the asset before the Qualys scanner scans for the QID.
How to use:
Download the script or utility from the corresponding GitHub link
GitHub - Qualys/log4jscanwin: Log4j Vulnerability Scanner for Windows - note that a compiled version is available on the GitHub page
GitHub - Qualys/log4jscanlinux
Run the utility/script on every asset
Instructions on how to run the utility/script can be found on the GitHub page
The results will be stored (by the utility or script) to disk. See GitHub page for the file location per OS.
The next time a VM scan runs, it will pick up the result of the script/utility and post the QID in case the results of the script/utility indicate a vulnerable asset.
Note:
Our engineers are working on adding a method to run those in-depth searches directly from the Qualys platform without the need to use an external tool. We will update this blog as soon as this solution is available for our customers.
Related
Attachments
Original Link
Original Document
Permalink
Disclaimer
Qualys Inc. published this content on 17 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 December 2021 18:28:02 UTC.
Qualys, Inc. is a provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. The Companyâs integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables its customers to identify and manage their IT and operational technology (OT) assets, collect, and analyze large amounts of IT security data, recommend, and implement remediation actions and verify the implementation of such actions. It provides its solutions through a software-as-a-service model, primarily with renewable annual subscriptions. Its cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organizationâs IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud.