Can confirm the windows authenticated scan identified our test system we stood up as vulnerable.
5 Likes
was your scans authenticated? Iām not finding the un-auth vuln check working. Auth check finds, un-auth does not. 13456 not being blocked, ran wireshark on scan engine.
For Linux systems does it only work with the Insight Agent?
I have results from the Insight Agent. But when I scan the same systems with the scan engine it doesnāt find anything. And after integrating the results the information found via the Insight Agent is removed.
The Windows authenticated check appears to work but if thereās an agent installed and it does a sync, the vulnerable is removed in the console.
1 Like
I noticed the same issue.
We have updated the Insight Agent data collection on Windows to support a new vulnerability check for CVE-2021-44228 (Log4Shell)! This functionality is available with version 3.1.2.38 of the Insight Agent.
If your organization relies on Insight Agents for vulnerability management, consider setting the Throttle level to High (this is the default) to ensure your agents get the update as quickly as possible. For more information, see Agent Management Settings in the Insight Agent documentation.
2 Likes
Hi Gina, with the update and the insight agent, will it do a file system level check for the affected log4j files or do we still need to run a scan with windows file search?
Do we need to give the file path to search for file searching option in template.
I am also not able to find the option, Attaching the screenshot. @gina_seiber can you help us on this?..
Please enable the windows file searching option which is in general tab of the template.
Can the agent based file search scan be modified to find older version of log4j to include version 1.2 in reference to CVE-2021-4104?
1 Like
Make sure youāre updated and look for the option in the General tab. The File Searching tab is legacy. From what support told me.
Rapid7 is not scanning for any Log4J assets that are vulnerableā¦implemented all the steps as suggested by the Rapid7 blog. Can anyone help? I am now relying on SCCM as it is giving me a good list of all Log4J components on Windows assets but what about Network and Unix devices? @rapid7_sales @rapid7vm_rapid7vm @rapid7_admin @gina_seiber
Does the Windows authenticated check and/or agent search drives other than C:?
Same question I have, I hope it is not searching the drives other than C:, can any one please confirm on this.
With the agent for windows or linux how long does it take for vulnerabilities to come off once patched?
@mike when you did authenticated did you use the normal scan template or the custom ones in the directions Rapid7 gave? I have tried both and seem to get no results but of course i dont know how to check to see if it actually took place or if the asset is vulnerabile unless i see the cve?
Custom one with Enable Windows File System Search enabled in the template and only the latest log4j checks.
On a different note, the latest content update appears to have deleted CVE-2021-44228. The message is āThis vulnerability has been deleted. It remains available for reporting and archival purposes.ā The checks are now also missing from the templates.
@mike oh man i had admin screenshot that to me he though it was remediated; i didnt know what it was doing never seen it before. So it got deleted maybe you think?