Tenable Research Release Highlights

Forum Discussion

gbetz's avatar
4 years ago

Apache Log4j Detection Additional Improvements Summary:...

Apache Log4j Detection Additional Improvements

Summary:

Additional improvements have been made to the Windows and Linux / Unix detection plugins for Apache Log4j. The improvements have been recently released or will be released by the target release date include:

  Apache Log4j Installed (Linux / Unix) (156000)

  • When the filename matches Log4j, the manifest and properties files will now be checked and the version in one of these files will supersede the version from the filename.
    • For example, ‘log4j-core-2.15.0.jar’ is found but the manifest file has a version of ‘2.16.0’, then ‘2.16.0’ will be reported as the version. 
  • The Spotlight search via the ‘mdfind’ command will be used on macOS hosts that have indexing enabled and the ‘Perform thorough tests’ setting is not enabled.
  • Improved handling of partial results when the plugin would normally time out.
    • Note: the plugin timeout can be adjusted under Advanced Settings (i.e. timeout.156000)

  Apache Log4j JAR Detection (Windows) (156001)

  • When the filename matches Log4j and the following scan preferences are configured, the manifest and properties files will be checked and the version in one of these files will supersede the version from the filename:
    • ‘Perform thorough tests’ setting is enabled
    • ‘Override normal accuracy’ setting is set to ‘Show potential false alarms’ 
  • Additional debugging has been added to assist in diagnosing potential issues.
  • Improved handling of partial results when the plugin would normally time out.
    • Note: the plugin timeout can be adjusted under Advanced Settings (i.e. timeout.156001)

Please open a technical support ticket if you have an issue so that we can collect the required information to diagnose and assist you with your issue.

Impact:

Customers should expect to see improved local detection of Apache Log4j potentially resulting in an increase in new vulnerability detections and potentially longer scan times.

Plugins:

Apache Log4j Installed (Linux / Unix) (156000)

Apache Log4j JAR Detection (Windows) (156001)

Target Release Date:

March 17, 2022

Update:

  • Changes to 156000 went out in Nessus plugin feed 202203172204
  • Changes to 156001 have been delayed (ETA: March 25)

11 Replies

  • jones_bryan's avatar
    jones_bryan
    Connect Contributor

    @Greg Betz​ is the target still 3/17 for these updates? I have not seen any as of yet. I am trying to monitor scans after the release so we can understand the impact. Any insight would be appreciated.

    • seth_t_johnson's avatar
      seth_t_johnson
      Connect Contributor II

      Looks like 156000 was updated last night. I just did an update this morning and version changed from 1.48 to 1.49. Plugin set 202203172204

    • gbetz's avatar
      gbetz

      @Bryan Jones​ 

      Changes to 156000 went out in Nessus plugin feed 202203172204

      Changes to 156001 have been delayed (ETA: March 22)

      • Anonymous's avatar
        Anonymous

        Hi Greg,

        Can you please confirm if Changes to 156001 have been completed or still in progress? Thank you

  • Awesome, this is great news! Once 156001 is updated this will replicate the version information of each log4j jar file to the other log4j 2.X plugins (such as 156183 & 156327) and prevent these findings from occurring from updated jars/modules that have been renamed to previous versions correct?

    I have been trying to get DISA to submit these changes to you as some products (ex: Cameo Systems Modeler https://docs.nomagic.com/display/FAQ/CATIA+Magic+and+No+Magic+products+affected+by+Log4Shell+log4j+vulnerability+-+CVE-2021-44228) tell you to update to application versions with log4j 2.16.0 then replace and rename the files which currently cause the mentioned 2.X findings to reappear even though they are not truly present.

    Thanks in advance for any clarification and further assistance.

  • @Zachary Boyer​ That is correct, the manifest/properties file will be checked and used in place of the version parsed from the filename.

    This change went out in Nessus plugin feed 202203251548

  • saurabh_suman1's avatar
    saurabh_suman1
    Connect Contributor

    For plugin 156001, the current version in Nessus website is 1.44 with the latest date of updatation as 19.07.2022, however still the mentioned plugin is not able to detect the log4j version from Manifest.MF file. Still the version parsed from filename is considered for determining the file version. Any update to this?

    • gbetz's avatar
      gbetz

      @Saurabh Suman​, the MANIFEST.MF file is parsed by the 156001 plugin if the following are set in the scan policy:

      • ‘Perform thorough tests’ setting is enabled
      • ‘Override normal accuracy’ setting is set to ‘Show potential false alarms’ 

      Please open a technical support ticket if you have an issue so that we can collect the required information to diagnose and assist you with your issue.