Continuous monitoring for Log4j vulnerabilities

Detectify now checks for the critical and actively exploited Apache Log4j vulnerability CVE-2021-44228, a.k.a. Log4shell. Customers can start scanning their assets straight away. New to Detectify? Start a trial today and get unlimited scanning for 2-weeks.

Log4j illustration

How has the Log4j threat impacted software?

The CVE-2021-44228 Apache log4j RCE vulnerability allows an attacker, who can control log messages or log message parameters, to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Some of the software identified as potentially vulnerable includes solr, druid, flink, struts2, logstash, redis, elasticsearch, kafka, pulsesecure, spark, and tomcat.

Crowdsoured security is a must

Thanks to our ethical hacking community, Crowdsource, we’ve received a variety of proof-of-concepts with valid payloads for CVE-2021-44228 Apache log4j RCE, and Detectify customers continue to benefit from the growing testbed for better coverage over this critical vulnerability.

How extensively does Detectify check for Log4j vulnerabilities?

Detectify Surface Monitoring sends payloads to request headers and URLs (in some cases, query parameters too). We currently send over 20 malformed requests for the Log4j vulnerability in our customers’ assets (including GET request parameters in some tests). When we send a payload and observe something trying to resolve on a domain, we produce a vulnerability finding.

Vulnerabilities we scan for:

  • CVE-2021-44228: Log4Shell (log4j) RCE
  • CVE-2021-45046: Log4Shell (log4j) Bypass RCE
  • Apache OFBiz Log4Shell (log4j) RCE
  • Apache Solr Log4Shell (log4j) RCE
  • Apache Struts2 Log4Shell (log4j) RCE
  • Mobileiron Log4Shell (log4j) RCE
  • Tableau Log4Shell (log4j) RCE
  • VMware Horizon Log4Shell (log4j) RCE
  • VMware vCenter Log4Shell (log4j) RCE

See our blog post for more information.

In Application Scanning, customers have access to all of the above and more. Detectify scanning engines crawl customer applications followed by extensive fuzzing of all parameters, such as cookies, JSON keys, and query parameters. We also send payloads in certain events, such as an error. If we receive a DNS pingback, a vulnerability finding is triggered.

Please note: due to the evolving nature of the situation, we may change how we scan for Log4j.