Please enable the windows file searching option which is in general tab of the template.
Can the agent based file search scan be modified to find older version of log4j to include version 1.2 in reference to CVE-2021-4104?
1 Like
Make sure you’re updated and look for the option in the General tab. The File Searching tab is legacy. From what support told me.
Rapid7 is not scanning for any Log4J assets that are vulnerable…implemented all the steps as suggested by the Rapid7 blog. Can anyone help? I am now relying on SCCM as it is giving me a good list of all Log4J components on Windows assets but what about Network and Unix devices? @rapid7_sales @rapid7vm_rapid7vm @rapid7_admin @gina_seiber
Does the Windows authenticated check and/or agent search drives other than C:?
Same question I have, I hope it is not searching the drives other than C:, can any one please confirm on this.
With the agent for windows or linux how long does it take for vulnerabilities to come off once patched?
@mike when you did authenticated did you use the normal scan template or the custom ones in the directions Rapid7 gave? I have tried both and seem to get no results but of course i dont know how to check to see if it actually took place or if the asset is vulnerabile unless i see the cve?
Custom one with Enable Windows File System Search enabled in the template and only the latest log4j checks.
On a different note, the latest content update appears to have deleted CVE-2021-44228. The message is “This vulnerability has been deleted. It remains available for reporting and archival purposes.” The checks are now also missing from the templates.
@mike oh man i had admin screenshot that to me he though it was remediated; i didnt know what it was doing never seen it before. So it got deleted maybe you think?
@am1 @mike both methods search all local drives. So if you have D: local (as an example), they will also search that… but they will NOT search CD drives, network drives, etc.
@dan_martin Thanks, I was able to confirm by searching for the vulnerability and looking at the Proof column. It shows exactly where the related files are, which is helpful.
@mike @vanessa_villalpando I saw this too and kind of had me worried. Maybe you already figured it out, but I went to create a ticket and saw on the banner: "Support is aware that some customers may see that the check for CVE-2021-44228 (i.e. Log4shell) has been deleted in the InsightVM UI.Our engineering team has determined that the check is NOT deleted. If you restart the product, the issue will resolve, permanently.If you have any further issues, please submit a support case. Thank you
what option you have enabled to check on the D drive. when we run scan we are not able to detect the d drive only c drive files are getting searched. I have enabled the windows file search.
So Mike, when your running the template with the checks inside. Do know that the assets your running the checks on are for sure vulnerable? If so how do you check to see if the checks ran on them if you dont see it flagging for any of the cves to make sure the template worked? I assume if the asset is vulnerable it will flag and show the cves in the UI correct? For authenticated ?
I ran scans against our Windows servers with Log4j, and our scanner found CVE-2021-45105 on a couple of our servers. I go to the vulnerability summary, and I see the following:
“This vulnerability has been deleted. It remains available for reporting and archival purposes.”
Did the DoS vuln get removed? I’m not sure I understand this message. Could someone explain, please?
Gee, would really love a report for a SQL Query export. I am not a SQL guy - I inherited Rapid7. I need to provide proof. I am scanning literally thousands of endpoints - would really appreciate if Rapid7 provided us the query to export proofs per host…
Can anyone help how to identify the log4j 1 version files using windows authenticated check.
When is VMware Templates available? We know these hosts are vulnerable but are not showing via Rapid 7
1 Like