Forum Discussion
Apache Log4j Detection Additional Improvements Summary:...
Apache Log4j Detection Additional Improvements
Summary:
Additional improvements have been made to the Windows and Linux / Unix detection plugins for Apache Log4j. The improvements have been recently released or will be released by the target release date include:
Apache Log4j Installed (Linux / Unix) (156000)
- When the filename matches Log4j, the manifest and properties files will now be checked and the version in one of these files will supersede the version from the filename.
- For example, ‘log4j-core-2.15.0.jar’ is found but the manifest file has a version of ‘2.16.0’, then ‘2.16.0’ will be reported as the version.
- The Spotlight search via the ‘mdfind’ command will be used on macOS hosts that have indexing enabled and the ‘Perform thorough tests’ setting is not enabled.
- Improved handling of partial results when the plugin would normally time out.
- Note: the plugin timeout can be adjusted under Advanced Settings (i.e. timeout.156000)
Apache Log4j JAR Detection (Windows) (156001)
- When the filename matches Log4j and the following scan preferences are configured, the manifest and properties files will be checked and the version in one of these files will supersede the version from the filename:
- ‘Perform thorough tests’ setting is enabled
- ‘Override normal accuracy’ setting is set to ‘Show potential false alarms’
- Additional debugging has been added to assist in diagnosing potential issues.
- Improved handling of partial results when the plugin would normally time out.
- Note: the plugin timeout can be adjusted under Advanced Settings (i.e. timeout.156001)
Please open a technical support ticket if you have an issue so that we can collect the required information to diagnose and assist you with your issue.
Impact:
Customers should expect to see improved local detection of Apache Log4j potentially resulting in an increase in new vulnerability detections and potentially longer scan times.
Plugins:
Apache Log4j Installed (Linux / Unix) (156000)
Apache Log4j JAR Detection (Windows) (156001)
Target Release Date:
March 17, 2022
Update:
- Changes to 156000 went out in Nessus plugin feed 202203172204
- Changes to 156001 have been delayed (ETA: March 25)
- These changes went out in Nessus plugin feed 202203251548
11 Replies
- jones_bryanConnect Contributor
@Greg Betz is the target still 3/17 for these updates? I have not seen any as of yet. I am trying to monitor scans after the release so we can understand the impact. Any insight would be appreciated.
- seth_t_johnsonConnect Contributor II
Looks like 156000 was updated last night. I just did an update this morning and version changed from 1.48 to 1.49. Plugin set 202203172204
- jones_bryanConnect Contributor
Thanks for confirming
@Bryan Jones
Changes to 156000 went out in Nessus plugin feed 202203172204
Changes to 156001 have been delayed (ETA: March 22)
- Anonymous
Hi Greg,
Can you please confirm if Changes to 156001 have been completed or still in progress? Thank you
- Anonymous
What is the new estimate for 156001?
Awesome, this is great news! Once 156001 is updated this will replicate the version information of each log4j jar file to the other log4j 2.X plugins (such as 156183 & 156327) and prevent these findings from occurring from updated jars/modules that have been renamed to previous versions correct?
I have been trying to get DISA to submit these changes to you as some products (ex: Cameo Systems Modeler https://docs.nomagic.com/display/FAQ/CATIA+Magic+and+No+Magic+products+affected+by+Log4Shell+log4j+vulnerability+-+CVE-2021-44228) tell you to update to application versions with log4j 2.16.0 then replace and rename the files which currently cause the mentioned 2.X findings to reappear even though they are not truly present.
Thanks in advance for any clarification and further assistance.
@Zachary Boyer That is correct, the manifest/properties file will be checked and used in place of the version parsed from the filename.
This change went out in Nessus plugin feed 202203251548
- saurabh_suman1Connect Contributor
For plugin 156001, the current version in Nessus website is 1.44 with the latest date of updatation as 19.07.2022, however still the mentioned plugin is not able to detect the log4j version from Manifest.MF file. Still the version parsed from filename is considered for determining the file version. Any update to this?
@Saurabh Suman, the MANIFEST.MF file is parsed by the 156001 plugin if the following are set in the scan policy:
- ‘Perform thorough tests’ setting is enabled
- ‘Override normal accuracy’ setting is set to ‘Show potential false alarms’
Please open a technical support ticket if you have an issue so that we can collect the required information to diagnose and assist you with your issue.