Excluding Docker directories in Log4j Linux/Unix detection

Summary

The local log4j detection plugin for Linux/Unix will now exclude two directories used by Docker services to store containers.

Change

Before this update, plugin 156000, Apache Log4j Installed (Linux / Unix), would detect log4j JAR files on an asset’s filesystem using several methods, including using the find command to search for known filename patterns. If the scan target was running the Docker service and hosted containers that have log4j JAR files, the plugin would detect those files and attribute them to the host, instead of to the container. These findings are a result of examining the Docker image layers on the filesystem.  As guest containers are often treated as separate machines from their host, these results were seen as false positives to customers.

After this update, two directories used by the Docker service to store containers will be excluded by default from the find command’s search path:

/var/lib/containerd

/var/lib/docker/overlay2

As a result, the plugin will not detect log4j JAR files in these directories. If customers desire to scan these directories for log4j JAR files, the Include Filepath option in the Advanced Scan Settings configuration can be used to force scanning of these paths.  This may be found under the Scan Policy Advanced Options.  A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container.

Tenable Cloud Security is designed to secure container images and provide pre-deployment validation.

Impact

Scans that use a default configuration may report fewer log4j detections from Linux/Unix assets that host a Docker service.

Plugins

156000 - Apache Log4j Installed (Linux / Unix)

Target Release Date

September 9, 2024