We had some specific ‘log4j’ only template/scans running along with our regularly schdeules scans.
Two questions hoping someone can help with…
Wanting to confirm that a current template I am using already includes log4j checks but find understanding the displayed/not displayed selections extremely un-user friendly - we have this template edited for only by check types of ‘Microsoft hotfix’ ‘rpm’ and ‘patch’ - would log4j fall under these choices how do I confirm this?
We have a separate Log4j only template that was previous configured, Do we need to be updating and adding to the log4j specific scan? (ie going to templates, vulnerabilities and searching for more ‘log4j’ to add)?
I believe these three check types would include some of the log4j checks we’ve added, but not all of them, since some of them may fall under Local or Safe, for instance. If you want to add all of the possible log4j checks, you can:
Click Add Check Types
Search for CVE-2021-44228
When the results appear, click Select All, and then Save
That’s correct. If you’ve got a template you’ve been adding log4j specific checks to (kinda like I did in the steps above), then you would have to search and add additional log4j checks as we release them.
You can actually follow the same steps for CVE-2021-45046 and CVE-2021-45105, if you’d like to have coverage for those added to the same template.
One more thing I just learned - we added a new vulnerability category called Apache Log4j, released January 12. With this, rather than having to manually search CVE’s and add new checks to the template every time they’re released, you should be able to just select Apache Log4j as a vuln category for your template, and then it’ll automatically include new checks as they’re added.
Correct, I believe you should be able to deselect them, and the checks that fall under the Apache Log4j category will be performed. You just don’t want to add them to the “disabled” list, or anything similar that might conflict.
Jennifer you will need to search for each of the Log4j CVEs under the individual checks and add them to your scan template. The Apache Log4j vulnerability category does not contain all Log4j CVEs released. It only contains the Log4j checks released by Rapid7.