Log4j CVE-2021-44228

sniedzwiecki · December 17, 2021, 4:54pm

I’m now at product and content version 6.6.120 and the remote check still isn’t showing ANY positive results. If the developers think it’s supposed to work, how can we troubleshoot why it isn’t.

mike · December 17, 2021, 5:07pm

Hi Holly, I’ve actually been testing this for the first time. The idea is to do targeted scans on systems that may be vulnerable. Where are the results populated at? I’m doing something as simple of searching for r7test.txt in the file system and I can’t seem to tell if it worked or not.

mdoore · December 17, 2021, 5:52pm

I don’t see the Windows File System Search checkbox on the General tab of the Scan Template. Do I need to update to get this option?
Or should it be “Enable Windows services during a scan” ?

Scan for Log4j CVE-2021-44228 (Log4Shell) | InsightVM Documentation (rapid7.com)

snippet:

To detect Log4Shell on Windows, enable Windows File Search.

To detect the Apache Log4j CVE-2021-44228 (Log4Shell) vulnerability on Windows devices, you must enable the Windows File System Search to allow scan engines to search all local file systems for specific files on Windows assets.

Searching file systems increases scan time and resource utilization

Searching entire file systems across all of your Windows assets is an intensive process that increases scan times and resource utilization.

On the General tab, select the Windows File System Search checkbox.
Review the warning text to determine whether you want to enable this option.
To enable this feature, click OK.
To cancel enabling, click Cancel.

mdoore · December 17, 2021, 6:07pm

Ok found out I need scan engine version 6.6.121

mike · December 17, 2021, 6:08pm

You need to update your console to version
6.6.121 and then update your scan engines. Once your console is updated, you’ll see this option.

holly_wilsey · December 17, 2021, 6:16pm

You may have seen this in InsightVM with the latest release (and I know it was mentioned just above ^^) but we have an update:

With product version 6.6.121, we have made updates to add an authenticated check for CVE-2021-44228 on Windows devices. This update provides the option to enable Windows File System Search to allow scan engines to search your local filesystems for specific files on Windows assets. Scan engines and consoles should be updated to version 6.6.121 for this, which will require a restart. Windows File System Search must be enabled in the scan template for this check, and WMI needs to be enabled in your environment.

Since Windows filesystem searches can be resource intensive, there’s the potential that these scans will take longer than usual. If you have any concerns about scan time or impact on your devices, you can always stop the scan and disable Windows File System Search.

I’ll continue sharing more info as we have it. Appreciate everyone’s patience as we’ve been working on getting this out!

mike · December 17, 2021, 6:24pm

Can confirm the windows authenticated scan identified our test system we stood up as vulnerable.

aiuex79_aiuex79 · December 17, 2021, 7:02pm

was your scans authenticated? I’m not finding the un-auth vuln check working. Auth check finds, un-auth does not. 13456 not being blocked, ran wireshark on scan engine.

mdoore · December 17, 2021, 8:10pm

For Linux systems does it only work with the Insight Agent?

I have results from the Insight Agent. But when I scan the same systems with the scan engine it doesn’t find anything. And after integrating the results the information found via the Insight Agent is removed.

mike · December 17, 2021, 9:24pm

The Windows authenticated check appears to work but if there’s an agent installed and it does a sync, the vulnerable is removed in the console.

mdoore · December 17, 2021, 9:27pm

I noticed the same issue.

gina_seiber · December 17, 2021, 10:39pm

We have updated the Insight Agent data collection on Windows to support a new vulnerability check for CVE-2021-44228 (Log4Shell)! This functionality is available with version 3.1.2.38 of the Insight Agent.

If your organization relies on Insight Agents for vulnerability management, consider setting the Throttle level to High (this is the default) to ensure your agents get the update as quickly as possible. For more information, see Agent Management Settings in the Insight Agent documentation.

bchau · December 17, 2021, 11:15pm

Hi Gina, with the update and the insight agent, will it do a file system level check for the affected log4j files or do we still need to run a scan with windows file search?

amaheshwarappa · December 18, 2021, 5:12am

Do we need to give the file path to search for file searching option in template.

naveen_c · December 18, 2021, 12:02pm

File searching
I am also not able to find the option, Attaching the screenshot. @gina_seiber can you help us on this?..

am1 · December 18, 2021, 6:26pm

Please enable the windows file searching option which is in general tab of the template.

russell_wood · December 18, 2021, 11:31pm

Can the agent based file search scan be modified to find older version of log4j to include version 1.2 in reference to CVE-2021-4104?

s_s · December 20, 2021, 4:43pm

Make sure you’re updated and look for the option in the General tab. The File Searching tab is legacy. From what support told me.

bbgautam · December 20, 2021, 6:30pm

Rapid7 is not scanning for any Log4J assets that are vulnerable…implemented all the steps as suggested by the Rapid7 blog. Can anyone help? I am now relying on SCCM as it is giving me a good list of all Log4J components on Windows assets but what about Network and Unix devices? @rapid7_sales @rapid7vm_rapid7vm @rapid7_admin @gina_seiber

mike · December 20, 2021, 8:58pm

Does the Windows authenticated check and/or agent search drives other than C:?