Detect Log4j Vulnerabilities

You can detect for Log4Shell vulnerabilities in your environment by utilizing the Out of Band Injection attack template in your scan config and reviewing the results for impact.

Out of Band Injection

The Out of Band Injection for Log4j attack module is only enabled by default in the Out of Band Injection template. By default, the All Modules template has this attack module disabled.

Out of Band Injection for Log4j

When an application logs data using certain versions of Log4j (2.0-beta9 to 2.14.1), because of CVE-2021-44228, it will parse and resolve JNDI lookup strings in the data by default. This means that if an application logs any data from an untrusted source, then that source could provide a JNDI lookup string that references a malicious, remotely-hosted java object. Log4j would then deserialize and load that object into the application, resulting in Remote Code Execution (RCE) and compromise the application.

Recommendations

Though official mitigation steps are changing as new information arises, we recommend that applications upgrade Log4j to at least version 2.3.1 for Java 6, 2.12.3 for Java 7, or 2.17.0 for Java 8 and later, but preferably the latest version available to fix any new issues as they are discovered. If upgrading Log4j is not an option, the Apache Software Foundation advises that in any release other than 2.16.0, you can remove the JndiLookup class from the log4j-core class path, but we recommend only using this method when upgrading is not possible.

Details

  • ModuleId - 87C67177-A0C6-45BF-A084-D1082166C32F
  • Type - Vulnerability
  • Active or Passive - Active

To use this attack template, your scan engine must be able to reach appspidered.rapid7.com. Most engines can reach this endpoint. If you have an on-premise engine, ensure your engine can reach appspidered.rapid7.com.

Scan with the Out of Band Injection attack template

In scan configs, you can select a new attack template made specifically with the Out of Band Injection attack module or create a custom template and choose this attack template as part of the module.

  1. On the Apps page, select the app you want to scan.
  2. On the Scan Configs tab, create or edit a scan config.
    • To create, click Create and complete the General and Target tabs. Note: Use a scan config name to help you identify this scan config, for example Apache Log4j.
    • To edit, select the scan config you want to edit.
  3. On the Attack Templates tab, select Out of Band Injection. Only the Out of Band Injection for Log4j attack module is active in this template.
  4. In the attack template, click Save.
  5. In the scan config, click Save and Scan.

When the scan is completed, the Scan Overview page displays KPIs and scan results. Because the Out of Band Injection template runs only one module, the scan results are limited to Log4Shell vulnerabilities.

Click on any finding to view attack details and remediation ideas. For more information on analyzing results, see Review Vulnerabilities.

(Optional) Monitor and manage active scans.

The Scan Overview page is structured differently based on whether the scan is in progress or completed. When the scan is in progress, the page shows the Scan Status which has two tabs:

  • Vulnerabilities per attack - This tab is useful for a live snapshot of the vulnerabilities being discovered on your app.
  • Event Log - The Event log lists in real time, the actions taken by the InsightAppSec console as part of the scan, and can help you detect authentication or access failures early in the scan.
(Optional) Generate an InsightAppSec scan level report.
  1. Click Scans in the left sidebar.
  2. Select a scan from the scan-level vulnerability table. You can also select scans from within an App.
  3. Click Generate Report.
  4. From the Generate Report screen, enter a Report Name and select a Report Type.
  5. Select a scan report.
  6. Select a Format.
  7. Click Generate Report.