Confirming Log4j selected in existing template!?

jennifer_linker_felman · February 2, 2022, 1:38pm

We had some specific ‘log4j’ only template/scans running along with our regularly schdeules scans.

Two questions hoping someone can help with…

Wanting to confirm that a current template I am using already includes log4j checks but find understanding the displayed/not displayed selections extremely un-user friendly - we have this template edited for only by check types of ‘Microsoft hotfix’ ‘rpm’ and ‘patch’ - would log4j fall under these choices how do I confirm this?

checktypes_OS

We have a separate Log4j only template that was previous configured, Do we need to be updating and adding to the log4j specific scan? (ie going to templates, vulnerabilities and searching for more ‘log4j’ to add)?

holly_wilsey · February 4, 2022, 8:12pm

I believe these three check types would include some of the log4j checks we’ve added, but not all of them, since some of them may fall under Local or Safe, for instance. If you want to add all of the possible log4j checks, you can:

Click Add Check Types
Search for CVE-2021-44228
When the results appear, click Select All, and then Save

That’s correct. If you’ve got a template you’ve been adding log4j specific checks to (kinda like I did in the steps above), then you would have to search and add additional log4j checks as we release them.

I hope that helps!

jennifer_linker_felman · February 4, 2022, 9:36pm

thanks Holly thank you I am glad to have the confirmation

jennifer_linker_felman · February 7, 2022, 5:12pm

Just wanted to double check is it sufficient to only search/add for CVE-2021-44228? I believe there were another 2 or so related CVEs?

holly_wilsey · February 7, 2022, 6:01pm

You can actually follow the same steps for CVE-2021-45046 and CVE-2021-45105, if you’d like to have coverage for those added to the same template.

One more thing I just learned - we added a new vulnerability category called Apache Log4j, released January 12. With this, rather than having to manually search CVE’s and add new checks to the template every time they’re released, you should be able to just select Apache Log4j as a vuln category for your template, and then it’ll automatically include new checks as they’re added.

jennifer_linker_felman · February 7, 2022, 6:26pm

THank you Holly! sounds great about the new category and much easier that way.

jennifer_linker_felman · February 7, 2022, 7:00pm

Just want to check if this is right.

if I have selected via the category then I can deselect all the individual checks?

holly_wilsey · February 7, 2022, 7:44pm

Correct, I believe you should be able to deselect them, and the checks that fall under the Apache Log4j category will be performed. You just don’t want to add them to the “disabled” list, or anything similar that might conflict.

ccastellano · February 8, 2022, 10:08pm

Jennifer you will need to search for each of the Log4j CVEs under the individual checks and add them to your scan template. The Apache Log4j vulnerability category does not contain all Log4j CVEs released. It only contains the Log4j checks released by Rapid7.

Log4j CVEs -

CVE-2021-44228
CVE-2021-4104
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307

Apache Log4j vulnerabilities categories’

jennifer_linker_felman · February 9, 2022, 8:27pm

Yikes well that is no fun!!! Thanks Christopher for the update glad I didnt hit send on the email I was drafting to my team before I checked back here.