Forum Discussion
Apache Log4j on Windows Detection Settings Adjustment...
Apache Log4j on Windows Detection Settings Adjustment
Summary
Prior to this update and out of an abundance of caution, the manifest and properties file inspection of Java archive files was enabled by setting ‘Override Normal Accuracy’ to ‘Show potential false alarms’ for the Apache Log4j JAR Detection (Windows) (156001) plugin along with enabling the ‘Perform thorough tests’ setting.
Change
The requirement for the ‘Override normal accuracy’ setting to be set to ‘Show potential false alarms’ is being removed since the inspection method has proven to be accurate and reliable. The ‘Perform thorough tests’ setting must still be enabled in order for the plugin to perform this in depth inspection.
Impact
For scan policies and templates with the ‘Perform thorough tests’ setting enabled and ‘Override normal accuracy’ setting not previously set to ‘Show potential false alarms’, customers may observe more resources being consumed on Windows scan targets during a local or Agent scan but may also observe more Apache Log4j detections that are detected by inspecting the manifest or properties file.
For scan policies and scan templates that have ‘Perform thorough tests’ enabled and ‘Override normal accuracy’ set to ‘Show potential false alarms’ users should see no change in performance since the ‘Override normal accuracy’ setting is now ignored by plugin 156001.
Plugin
Apache Log4j JAR Detection (Windows) (156001)
Target Release Date
May 2, 2022
Released in Nessus plugin feed 202205021951
5 Replies
@Greg Betz Is it still safe to assume that even with removal of the 'Show potential false positive' requirement that log4j vulnerabilities will be marked as mitigated if a subsequent scan runs without the 'Thorough' scan option being enabled?
You are correct–the removal of the 'Show potential false positive' requirement will not affect mitigations.
@Greg Betz Thanks, for verifying. I know this High light is for Windows however, is there any way to get details on what changed on the Linux side? We saw a significant drop in vulnerability detections between 4/26-4/28. From the Nessus plugin feed on 4/25 it looks like there was an update to plugin 156000. Was there a highlight I missed? Specifically we are seeing it impact detections of log4j 1.x for unsupported version.
I see now the plugin for 156860/Apache Log4j 1.x Multiple Vulnerabilities was changed from a severity of Critical to High it looks like.
I'm a little confused. If it ignores the override normal accuracy with show false positives selected, then why would it cause performance issues if it wasn't previously set? What if both override normal accuracy and perform thorough tests were disabled on scans?
