Forum Discussion
Apache Log4j Detection Improvements Summary: Since CVE-2021-4
Apache Log4j Detection Improvements
Summary:
Since CVE-2021-44228 was first announced, Tenable has been working diligently on improving the local detections for Apache Log4j on Windows, Linux, and Unix operating systems based on additional research, testing, telemetry, and customer feedback. These improvements have been released once they were well tested and reviewed due to the urgency and need for Log4j detections. After customer feedback and careful consideration, we have removed the requirement for thorough tests which will lead to less false negatives but will require more resources than scans previously done without thorough tests enabled.
The improvements that have been released or will be released shortly include:
Apache Log4j Installed (Linux / Unix) (156000)
- Utilize the ‘locate’ command (if available) over the ‘find’ command
- Use the same parameters for the ‘find’ command regardless of the thorough tests setting
- Search for and inspect all Java archive files (JAR, WAR, EAR) that can contain Log4j
- Does not recursively extract nested Java archive files due to potential performance and resource issues
- Check the log4j-core JAR file for JndiLookup.class
- Check running processes if the Log4j JAR was supplied in the command line arguments
- Expanded package manager checks to additional OSes
- Fixed a regression that was causing certain 1.x versions to be excluded
- Increased data collection
- Optimizations and Agent enablement for scans against macOS hosts
- Increased timeouts
Apache Log4j JAR Detection (Windows) (156001)
- The file system search was originally performed by an upstream plugin (152357) but has been implemented into 156001 to alway for an optimized file system search for Java archive files (JAR, WAR, EAR) resulting in a considerable performance gain
- Note that the thorough tests requirement was removed to run the file system search
- Search for and inspect all Java archive files that can contain the Log4j JAR file
- Does not recursively extract nested Java archive files due to potential performance and resource issues
- Check the log4j-core JAR file for JndiLookup.class
Tenable is working on and will continue to explore additional enhancements.
Impact:
Customers should expect to see improved local detection of Apache Log4j potentially resulting in an increase in new vulnerability detections and longer scan times. Note that any scans with plugins 156000, 156001, or that depend on these detection plugins enabled may take longer due to the expanded detection methods.
Plugins:
Apache Log4j Installed (Linux / Unix) (156000)
Apache Log4j JAR Detection (Windows) (156001)
Target Release Date:
December 22, 2021:
- Improvements for Apache Log4j JAR Detection (Windows) (156001) - Released in Nessus plugin feed 202112230037
Released December 27, 2021 in Nessus plugin feed 202112280531:
- Inclusion of WAR and EAR files in Apache Log4j Installed (Linux / Unix) - 156000
- JndiLookup.class check in Apache Log4j JAR Detection (Windows) - 156001
The other improvements for Apache Log4j Installed (Linux / Unix) (156000) have been recently or previously released.
18 Replies
great news! Can you share the plugin set version number where these improvements will be included?
@Greg Betz Can you clarify the statement "This is limited to a depth of one level due to performance issues"? Is this true even with Thorough scans enabled?
Also, can you tell us what Plugin feed this was included in?
Hello Bryan. Thanks for pointing this out.
The statement "This is limited to a depth of one level due to performance issues" relates only to the Java archive inspection in which the detection does not recursively extract the contents of nested Java archive files. I'll update the post clarifying that nested Java archive files are not inspected.
For example, the following will be detected:
app.jar
- log4j-core-2.10.0.jar
- org/apache/logging/log4j/log4j-core-2.10.0.jar
A nested JAR file will not be detected, such as:
app-nested.jar
- app-libs.jar
- log4j-core-2.10.0.jar [nested inside app-libs.jar]
We are researching this further but due to the potential performance and resource implications of recursively extracting Java archive files, this has not been included in our detections.
All of these changes except those mentioned under the Target Release Date are included in Nessus plugin feed 202112220551. I'll update this post once the additional improvements to 156000 and 156001 are released.
@Greg Betz Thanks for the clarification! Appreciate the quick reply.
@Greg Betz ,
I have a question: if the search is using 'locate' vs. 'find,' Does the plugin issue the updatedb before the plugin fires? If not, locate will only use the file database to do the search from the last time updatedb is run.
Bobby
@Greg Betz Have the updates been published for these plugins? Specifically, will the standard scans now be able to detect the vulnerability on Windows devices without the need for explicit thorough checks using the Log4Shell template?
Thanks!
Improvements for Apache Log4j JAR Detection (Windows) (156001) have been released in Nessus plugin feed 202112230037
Note: the check for JndiLookup.class in Windows has not been released and another update will go out once that check is added.
@Greg Betz Any eta on when the plugin for jndilookup class on Windows will be released?
Hi Team,
There is log4j vulnerability in Windows 2012 Servers, however, still the Nessus not detecting the log4j file reporting as vulnerable.
I understand the plugins would be updated day by day to improve the detections, However, customers are expecting that if we have the Nessus scanner it will detect the vulnerability and report it.
As a Security engineer we have challenges to keep justify about our Nessus tool capability, how the plugins developed , pushed and detect the vulnerability.
Did we set wrong expectations to the customers about the Nessus scanner or Customer is not understanding about the way of working?
How could we solve these challenges ? I am trying my nest to explain and justify that its not a tool issue and the developer would have challenges to receive the updates from multiple vendor and push the signatures once they have a clear solution in place to detect the vulnerability.
However, the vendor would report to the system owners before vulnerability scanner identify then the customer / CISO started to ask why our scanner doesn't have feasibility to detect the vulnerability?
If the experts could share some inputs / your experience it will be much appreciated !!
Thanks
Venkatesh Poyyalisamy
Ditto. I put a copy of a log4j file directly on the C: drive in a test folder and the 156061 simply isn't finding it/reporting it. Getting asked by upper management the same question as we scramble to use other tools to find these.
BFB Security has identified a possible issue that will obfuscate or miss some embedded jar versions of log4j. We are working with development to update the detection process, check back for updates.
The remaining improvements mentioned in this Release Highlight have been released in Nessus plugin feed 202112280531
Please note that we are working on additional improvements and have been rolling them out in a phased approach which allows us to build upon previous improvements while being cautious about regression issues. The changes that are made to these detection plugins needs to be carefully considered, implemented, and tested since they need to fit alongside many other plugins in different scan configurations without causing issues, unlike tools specifically made for Log4j.
Please open a technical support ticket if you are having issues so that we can collect the required information to diagnosis the issue.
@Greg Betz appreciate the notification about the new plugins. Can you help me understand how to interpret the new plugin output for plugin 156001. I see now that it includes a "jndilookup.cass association" and says "found" or "not found". If it equals "found" does that mean it will still mark log4j vulnerabilities as vulnerable and if "not found" then the vulnerabilities will be marked as mitigated?
Or is the new output strictly informational and have no bearing on the log4j vulnerability plugins?
