Detection Plugins Released for Log4J CVE-2021-44228  

Summary

Tenable has developed and released detection plugins in response to a critical vulnerability reported in Log4j, a Java based logging utility widely used in many applications, cloud services, and websites. The vulnerability is tracked as CVE-2021-44228 and CISA has issued an alert warning that the vulnerability is under active exploitation. Tenable has released scan templates for each of our Tenable products to consolidate CVE-2021-44228 plugins and make running scans for this vulnerability simple and straightforward for our customers. In addition, Tenable.io customers have a new dashboard and a dedicated widget on the Tenable.io main dashboard while Tenable.sc customers have a new dashboard. As new vendor advisory based plugins are developed Tenable will include the plugins in the scan templates on a recurring basis. 

Impact

Tenable customers now have detection plugins to provide initial identification of potentially vulnerable targets that use or contain the Log4j library. As vendor advisories are released for products that contain the Log4j library, Tenable will release plugins specific to each vendor advisory affected by CVE-2021-44228. 

Changes

5 6 NASL plugins for local and remote detection in Nessus, Tenable.sc and Tenable.io + Nessus Scan Template have been released and are available in the feed.

155998 - Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check)

155999 - Apache Log4j < 2.15.0 Remote Code Execution

156000 - Apache Log4j Installed (Unix)

156001 - Apache Log4j JAR Detection (Windows)

156002 - Apache Log4j < 2.15.0 Remote Code Execution

Scan template - Detection of Apache Log4j CVE-2021-44228

***UPDATE 20:30 SAT 11 DEC 2021***

Direct Check Plugin 155998 has a known limitation when run on cloud scanners or across network firewalls. A 6th plugin has been added to the scan template:

156014 - Apache Log4Shell - CVE-2021-44228 [direct check DNS query] 

• a direct check similar to PluginID: 155998 but designed to work on T.io cloud scanners and restrictive networks.

Target Release Date

Immediate

Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.