Detect Log4j Vulnerabilities
You can detect for Log4Shell vulnerabilities in your environment by utilizing the Out of Band Injection attack template in your scan config and reviewing the results for impact.
Out of Band Injection
The Out of Band Injection for Log4j attack module is only enabled by default in the Out of Band Injection template. By default, the All Modules template has this attack module disabled.
Out of Band Injection for Log4j
When an application logs data using certain versions of Log4j (2.0-beta9 to 2.14.1), because of CVE-2021-44228, it will parse and resolve JNDI lookup strings in the data by default. This means that if an application logs any data from an untrusted source, then that source could provide a JNDI lookup string that references a malicious, remotely-hosted java object. Log4j would then deserialize and load that object into the application, resulting in Remote Code Execution (RCE) and compromise the application.
Recommendations
Though official mitigation steps are changing as new information arises, we recommend that applications upgrade Log4j to at least version 2.3.1 for Java 6, 2.12.3 for Java 7, or 2.17.0 for Java 8 and later, but preferably the latest version available to fix any new issues as they are discovered. If upgrading Log4j is not an option, the Apache Software Foundation advises that in any release other than 2.16.0, you can remove the JndiLookup class from the log4j-core class path, but we recommend only using this method when upgrading is not possible.
Details
- ModuleId - 87C67177-A0C6-45BF-A084-D1082166C32F
- Type - Vulnerability
- Active or Passive - Active
To use this attack template, your scan engine must be able to reach appspidered.rapid7.com. Most engines can reach this endpoint. If you have an on-premise engine, ensure your engine can reach appspidered.rapid7.com.
Scan with the Out of Band Injection attack template
In scan configs, you can select a new attack template made specifically with the Out of Band Injection attack module or create a custom template and choose this attack template as part of the module.
- On the Apps page, select the app you want to scan.
- On the Scan Configs tab, create or edit a scan config.
- To create, click Create and complete the General and Target tabs.
Note: Use a scan config name to help you identify this scan config, for example
Apache Log4j. - To edit, select the scan config you want to edit.
- To create, click Create and complete the General and Target tabs.
Note: Use a scan config name to help you identify this scan config, for example
- On the Attack Templates tab, select Out of Band Injection. Only the Out of Band Injection for Log4j attack module is active in this template.
- In the attack template, click Save.
- In the scan config, click Save and Scan.
When the scan is completed, the Scan Overview page displays KPIs and scan results. Because the Out of Band Injection template runs only one module, the scan results are limited to Log4Shell vulnerabilities.
Click on any finding to view attack details and remediation ideas. For more information on analyzing results, see Review Vulnerabilities.
(Optional) Monitor and manage active scans.
When the scan is in progress, the page shows the Scan Overview which has two tabs:
- Vulnerabilities - This tab is useful for a live snapshot of the vulnerabilities being discovered on your app in real-time.
- Scan Logs - The logs list in real time the actions taken by the InsightAppSec console as part of the scan, and can help you detect authentication or access failures early in the scan.
(Optional) Generate an InsightAppSec scan level report.
- Click Scans in the left sidebar.
- Select a scan from the scan-level vulnerability table. You can also select scans from within an App.
- Click Generate Report.
- From the Generate Report screen, enter a Report Name and select a Report Type.
- Select a scan report.
- Select a Format.
- Click Generate Report.