Apache Log4j Detection Additional Improvements

Summary:

Additional improvements have been made to the Windows and Linux / Unix detection plugins for Apache Log4j. The improvements have been released or will be released shortly include:

  Apache Log4j Installed (Linux / Unix) (156000)

• Check the MANIFEST or properties file in detected Java archive files for the presence and version of Log4j.
  • The detected version from this method will be used over other versions detected.
  • Only the file contained directly within the Java archive file will be inspected. There is no recursion at this time.
• Improved error handling and handling of partial results when the plugin would normally time out.
  • Any errors will be included in the report after the detected installs.
• Additional alternative commands (‘jar’ and ‘grep’) used for Java archive inspection
• Extra processing of the ‘locate’ database
• Increased timeouts
  • Note: the plugin timeout can be adjusted under Advanced Settings for Nessus 8.15.1 and later.

  Apache Log4j JAR Detection (Windows) (156001)

• Check the MANIFEST or properties file in detected Java archive files for the presence and version of Log4j.
  • The detected version from this method will be used over other versions detected.
  • Only the file contained directly within the Java archive file will be inspected. There is no recursion at this time.
• Increased timeouts

Please note that we are working on additional improvements and have been rolling code changes out in a phased approach which allows us to build upon previous improvements while being cautious about potential issues. The changes that are made to these detection plugins need to be carefully considered, implemented, and tested since they need to fit alongside many other plugins in different scan configurations without causing issues unlike tools specifically made for Apache Log4j.

Please open a technical support ticket if you are having issues so that we can collect the required information to diagnose your issue.

Impact:

Customers should expect to see improved local detection of Apache Log4j potentially resulting in an increase in new vulnerability detections and longer scan times.

Note that any scans with plugins 156000, 156001, or that depend on these detection plugins enabled may take longer due to the expanded detection methods.

Plugins:

Apache Log4j Installed (Linux / Unix) (156000)

Apache Log4j JAR Detection (Windows) (156001)

Target Release Date:

By January 7, 2022 (released in plugin feed 202201080412)