Forum Discussion
Apache Log4j Detection Improvements Summary: Since CVE-2021-4
The remaining improvements mentioned in this Release Highlight have been released in Nessus plugin feed 202112280531
Please note that we are working on additional improvements and have been rolling them out in a phased approach which allows us to build upon previous improvements while being cautious about regression issues. The changes that are made to these detection plugins needs to be carefully considered, implemented, and tested since they need to fit alongside many other plugins in different scan configurations without causing issues, unlike tools specifically made for Log4j.
Please open a technical support ticket if you are having issues so that we can collect the required information to diagnosis the issue.
@Greg Betz appreciate the notification about the new plugins. Can you help me understand how to interpret the new plugin output for plugin 156001. I see now that it includes a "jndilookup.cass association" and says "found" or "not found". If it equals "found" does that mean it will still mark log4j vulnerabilities as vulnerable and if "not found" then the vulnerabilities will be marked as mitigated?
Or is the new output strictly informational and have no bearing on the log4j vulnerability plugins?
Hello @Bryan Jones . You are correct–if either detection plugin reports "JndiLookup.class association" as "Not Found", then the corresponding vulnerability plugins (156057 or 156002) will not flag and cause them to be marked as mitigated.
There's also a catchall for unexpected cases that will set the "JndiLookup.class association" attribute to have a value of "Unknown" which will still cause the vulnerability plugins to still flag detected Log4j JAR files to avoid causing false negatives.
Thanks for the clarification.
