Multiple cybersecurity experts have now released free-to-use scanners to help organizations look for vulnerable Log4j instances.
The Cybersecurity and Infrastructure Security Agency (CISA), for example, has published a Log4j scanner on GitHub, based on a previous version built by security firm FullHunt.
CISA said this tool scans for two vulnerabilities – CVE-2021-44228 and CVE-2021-45046 – and offers support for DNS callback for vulnerability discovery and validation. It also provides automatic bug detection for HTTP POST Data parameters, as well as JSON data parameters.
Cybersecurity experts from Crowdstrike have also published a similar scanner called CAST.
Scanners have flaws
However, researchers have warned that none of these tools are perfect, and may end up missing a vulnerability or two.
Yotam Perkal, research lead at security firm Rezilion, analyzed these tools and published the results in a blog post. According to Perkal, many scanners missed out on some versions of the vulnerability.
“The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files – which means that a shallow search for the file won’t find it,” wrote Perkal. “Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages.”
Perkal tested a total of nine scanners, and while some performed better than others, none were able to identify all vulnerable Log4j deployments.
“It also reminds us that detection abilities are only as good as your detection method. Scanners have blindspots,” Perkal concluded. “Security leaders cannot blindly assume that various open-source or even commercial-grade tools will be able to detect every edge case. And in the case of Log4j, there are a lot of edge instances in many places.”
Log4j is a Java logger that was recently discovered to hold a critical flaw, which could allow malicious actors (even those with very little skill) to run arbitrary code on millions of endpoints, and push out malware, ransomware and cryptominers.
Further investigation uncovered that Log4Shell, as the flaw is dubbed, is one of the most serious security vulnerabilities in recent history. Jen Easterly, CISA Director, described it as “one of the most serious” she’s seen in her entire career, “if not the most serious”.
So far, Apache has issued at least three patches for Log4j since the discovery of the flaw, and users are urged to update immediately.
- Here’s our list of the best firewalls on the market