CISA, vendors refine scanners for Log4j vulnerabilities


Application Security, Business Continuity Management / Disaster Recovery, Cybercrime

Agency official also warns of lingering threat around Apache’s logging utility

Dan Gunderman (dangun127) •
December 30, 2021

The Log4j vulnerability is also called Log4shell, as in this logo drawn by a security researcher Kevin Beaumont.

As network advocates continue to fix or mitigate the remote code execution vulnerability in the Java Log4j logging utility, several cybersecurity vendors have released analysis and assessment tools to speed up the process identification.

See also: How to improve your defenses with Security Analytics

Open source and commercial analysis tools from the US Cybersecurity and Infrastructure Security Agency and vendors such as CrowdStrike, Microsoft, Trend Micro, and Arctic Wolf have provided developers and administrators with new resources to streamline the vulnerability mitigation process Apache, which experts say may be present in hundreds of millions of devices and systems around the world.

Resources are revealed as administrators at the Apache Software Foundation, the nonprofit that manages Apache’s open source projects, continue to release semi-regular updates for the Logging Library – the latest being 2.17.1, to deal with another, less serious one. RCE vulnerability – CVE-2021-44832 – revealed this week by the firm Checkmarx. CVE-2021-44832 has a “moderate” CVSS score of 6.6 (see: Apache Log4j version 2.17.1 fixes a new defect).

The widespread Log4j vulnerability was first reported on December 9, after it was allegedly detected by Alibaba’s cloud security unit. This then put security teams on high alert as the holiday season approached.

Several scanners


CISA’s Log4j scanner is inspired by other tools created by the open source community, the agency said on twitter. This includes a version of the FullHunt security company.

It is available on the CISA community’s GitHub repository.

(Source: CISA / GitHub)


Microsoft added a Log4j scanner to its Microsoft 365 Defender to provide a “consolidated view” of a company’s exposure to vulnerabilities – including discovery of vulnerable library components on devices and applications, a dedicated dashboard and a “new schema in advanced search. “

Microsoft says the scanner’s capabilities are supported on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016, as well as Linux, although the latter requires updating the Defender for Endpoint Linux client to version 101.52. .57 (30.121092.15257.0) or later. .

When Microsoft expanded its Log4j analytics capabilities into Defender on Monday, some users quickly took to Twitter to highlight what appeared to be false positive alerts. Copying Microsoft, user @CISOwithHoodie wrote: “Is anyone else getting ‘Possible tampering of in-memory sensor detected by Microsoft Defender for Endpoint” alerts created by OpenHandleCollector.exe? “

User @irestartpcs replied, “Ditto. And it looks like it has something to do with finding log4j based on the command line. The emails started in the last hour for me and didn’t stop.

The reports prompted Tomer Teller, senior security researcher in the Microsoft Azure Cyber ​​Security group, to reply via Twitter, by writing, “Thanks for reporting this. The team is investigating this.”

The issue has now reportedly been resolved, according to a Microsoft spokesperson who told VentureBeat on Wednesday, “We have resolved an issue for some customers who may have experienced a series of false positive detections.”


CrowdStrike’s offering, called CrowdStrike Archive Scan Tool, enables targeted directory searches for JAR, WAR, ZIP, and EAR files and more in-depth scans of those file types against a known set of checksums for them. Log4j libraries. The tool is available for Windows, Mac and Linux systems.

CrowdStrike claims that its CAST tool “helps organizations find any affected version of the Log4j library anywhere on disk, even if it is deeply nested in multiple levels of archive files.”

Trend Micro

Trend Micro has released a web-based Log4j vulnerability scanner that it says can “help users and administrators identify potentially affected server applications.”

The company says its self-service vulnerability assessment tool “leverages free access to the Trend Micro Vision One Threat Defense Platform” to identify endpoints and server applications at risk. to be affected by Log4j. Trend Micro says the tool “provides a detailed view of your attack surface and shares next steps to mitigate risk.”

Arctic wolf

Cyber ​​security firm Arctic Wolf has released deep analysis tools Log4Shell to detect CVE-2021-45046 and CVE-2021-44228 in nested JAR files, as well as WAR and EAR files, it says.

“Once executed, Arctic Wolf’s Log4j detection script will use code analysis and deep analysis of a host’s file system to identify Java applications and libraries with vulnerable Log4j code,” the page reads. “When it identifies the existence of impacted Log4j code, the script reports it and displays its location in the host’s file system. “

It was published on GitHub for Windows, macOS, and Linux.

CISA logo (image file)

CISA: Patch as soon as possible

With the emergence of new resources to mitigate Log4j risks, experts are still warning defenders to stay on their toes, highlighting active analysis among sophisticated threat actors and advanced persistent threats. CrowdStrike announced on Wednesday that it had discouraged efforts by a Chinese APT to take advantage of Log4j to attack a “large educational institution” (see: Encryption platform suffers ransomware attack related to Log4j).

At an event Tuesday with the ISMG CyberEdBoard, a membership-only community of security executives and thought leaders, Eric Goldstein, executive deputy director for cybersecurity at CISA, highlighted the importance of Log4j.

“The prevalence here is truly extraordinary,” Goldstein said during the session. “This vulnerability can [also] be trivial to exploit. We’ve seen proof of concept of an exploit as small as 12 characters that can be triggered via a chat message, text message, or email header.

“At least theoretically, it’s really trivial to exploit and then, due to the nature of the vulnerability, it gives the potential for real deep access into a target system.”

Goldstein said: “We [have seen] this vulnerability being used ubiquitously, but what we call lower level activity. So, for example, the embezzlement of resources for cryptomining or the embezzlement of assets to be used in botnets. But now we’re starting to see a little more concern about more sophisticated activities. … [And] We suppose that [more] is yet to come. “

He also warned that malicious actors may have already compromised targets and gained a foothold, but might choose to wait a few weeks before executing their payload.

“Organizations running vulnerable Log4j instances, especially when those instances accept data from the Internet, should really assume that they are subject to a profound tradeoff that could affect their critical functions and core infrastructure,” Goldstein said. .

In the wake of this explosive flaw, he added, federal officials will continue to advocate for machine-readable software nomenclatures, or SBOMs, so that security teams can almost immediately understand what makes up their software and avoid thus a tedious manual identification. process.


Comments are closed.