Log4j CVE-2021-44228

Are you actually having success getting the vulnerability check to return results? If so what type of system are you scanning against?

We have had ZERO success with the Remote check. Windows assets all reporting clean. Can’t be the case. The only one working seems to be the original, Authenticated, Linux check. And it looks like even it has been updated with the latest release.

Same here. TCP/13456 wasn’t firing off from the target to the scan engine. Firewalls off on both servers (temporarily). Even added an inbound rule on the scanner, and did netstat on both servers while the scan took place. The scanner wasn’t listening on the port, and we saw no outbound connections of TCP/13456 from the target machine to the scanner. Not sure I fully trust the remote scan either. Had great luck with (and I stress) NEW Linux vuln checks. Ran a Full Audit scan on the same Linux servers Monday, and returned nothing. Watched a Rapid7 webinar today that explained how to create a custom template with specific Log4j vuln checks, ran the scan tonight, and immediately found vulns within 10 minutes. That webinar should be available soon. Check with your CSM, because I know they recorded at least the morning session I was in.

Hi, any reason we can’t just enable file system searching in a custom scan template, disable everything else and search for log4j*.jar, this will at least produce a listing of where it is so teams can start to focus. Fully appreciate the possible performance hit here, but as already been said we are already taking hits searching entire filesystems using scripts etc.

The original content update for the remote check was released prior to that date, so I believe you would have the correct content with that version. However, we also recommend updating to product version 6.6.120 to get the latest in things like performance improvements, as well.

Ahh yes, so this is a little confusing based on how Apache has updated their advisory. They updated it to add information on a separate version stream of Log4j, different from the 2.16.0 one. So for that separate version stream, CVE-2021-44228 is mitigated by updating to 2.12.2.

If you run a scan, the logic we have in place should check to see if the Log4j version detected is between 2.0 and 2.12.2 and recommend updating to 2.12.2 if so. And if it detects 2.13 to 2.16, we show 2.16 as the solution.

This is technically a potential option, though we haven’t recommended it thus far due to scalability issues. That said, we’ve had similar feedback regarding folks being willing to take a performance hit and doing their own filesystem searches, so we can pass that along.

I’m now at product and content version 6.6.120 and the remote check still isn’t showing ANY positive results. If the developers think it’s supposed to work, how can we troubleshoot why it isn’t.

Hi Holly, I’ve actually been testing this for the first time. The idea is to do targeted scans on systems that may be vulnerable. Where are the results populated at? I’m doing something as simple of searching for r7test.txt in the file system and I can’t seem to tell if it worked or not.

I don’t see the Windows File System Search checkbox on the General tab of the Scan Template. Do I need to update to get this option?
Or should it be “Enable Windows services during a scan” ?

Scan for Log4j CVE-2021-44228 (Log4Shell) | InsightVM Documentation (rapid7.com)

snippet:

To detect Log4Shell on Windows, enable Windows File Search.

To detect the Apache Log4j CVE-2021-44228 (Log4Shell) vulnerability on Windows devices, you must enable the Windows File System Search to allow scan engines to search all local file systems for specific files on Windows assets.

Searching file systems increases scan time and resource utilization

Searching entire file systems across all of your Windows assets is an intensive process that increases scan times and resource utilization.

1. On the General tab, select the Windows File System Search checkbox.
2. Review the warning text to determine whether you want to enable this option.
3. To enable this feature, click OK.
4. To cancel enabling, click Cancel.

Ok found out I need scan engine version 6.6.121

You need to update your console to version
6.6.121 and then update your scan engines. Once your console is updated, you’ll see this option.

You may have seen this in InsightVM with the latest release (and I know it was mentioned just above ^^) but we have an update:

With product version 6.6.121, we have made updates to add an authenticated check for CVE-2021-44228 on Windows devices. This update provides the option to enable Windows File System Search to allow scan engines to search your local filesystems for specific files on Windows assets. Scan engines and consoles should be updated to version 6.6.121 for this, which will require a restart. Windows File System Search must be enabled in the scan template for this check, and WMI needs to be enabled in your environment.

Since Windows filesystem searches can be resource intensive, there’s the potential that these scans will take longer than usual. If you have any concerns about scan time or impact on your devices, you can always stop the scan and disable Windows File System Search.

I’ll continue sharing more info as we have it. Appreciate everyone’s patience as we’ve been working on getting this out!

Can confirm the windows authenticated scan identified our test system we stood up as vulnerable.

was your scans authenticated? I’m not finding the un-auth vuln check working. Auth check finds, un-auth does not. 13456 not being blocked, ran wireshark on scan engine.

For Linux systems does it only work with the Insight Agent?

I have results from the Insight Agent. But when I scan the same systems with the scan engine it doesn’t find anything. And after integrating the results the information found via the Insight Agent is removed.

The Windows authenticated check appears to work but if there’s an agent installed and it does a sync, the vulnerable is removed in the console.

I noticed the same issue.

We have updated the Insight Agent data collection on Windows to support a new vulnerability check for CVE-2021-44228 (Log4Shell)! This functionality is available with version 3.1.2.38 of the Insight Agent.

If your organization relies on Insight Agents for vulnerability management, consider setting the Throttle level to High (this is the default) to ensure your agents get the update as quickly as possible. For more information, see Agent Management Settings in the Insight Agent documentation.

Hi Gina, with the update and the insight agent, will it do a file system level check for the affected log4j files or do we still need to run a scan with windows file search?

Do we need to give the file path to search for file searching option in template.

I am also not able to find the option, Attaching the screenshot. @gina_seiber can you help us on this?..