In-Depth Information About Greenbone’s Log4j Vulnerability Test Coverage
Update from 2021-12-20: information about additional vulnerabilities found for Log4j can be found here.
Update from 2021-12-20: vulnerability tests for products running on Microsoft Windows are now available.
Note: The tests check the existence of Log4j and its version. A separate vulnerability test may not be available for each affected application, but all Log4j files are found and reported (/path-to-log4j-file/
).
The issued installation paths must be checked and, if necessary, the vendor must be contacted. It must be checked whether updates are already available for the respective application and whether the find is relevant.
PowerShell execution privileges on a target system are required for the account used in an authenticated scan. Some vulnerability tests execute PowerShell commands to increase the accuracy of the results, which require permissions for the duration of a scan.
Update from 2021-12-15: an additional attack vector was identified and reported in CVE-2021-45046. We are working on vulnerability tests for this vector, although our tests are working for this additional case too. We recommend to update to the latest Log4j version. The attack is more complicated and a protection requires a different configuration. But as this is a very new vector, we advise to better be save than sorry. For more information see https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/.
This article collects answers to the most frequently asked questions regarding Greenbone’s Log4j vulnerability test coverage.
What Is this Vulnerability About?
The “Log4Shell” vulnerability affects a software library responsible for recording events (so called “logging”) in software written in the Java programming language. A malicious attacker can use this vulnerability to execute code on the affected systems.
Since this vulnerability can be exploited through the Internet and without any authentication, this can be very critical for affected systems and companies. As the software is also included in a lot of software and services accessible through the Internet, many companies and services are likely to be affected.
More information about this vulnerability can be found here:
- heise online (German only): https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html
- Federal Office for Information Security (German only): https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html
- LunaSec: https://www.lunasec.io/docs/blog/log4j-zero-day/
- National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Are any Greenbone Products and Services Affected?
We checked the status of potentially affected systems with the highest priority. None of our products or internally and externally provided services are affected.
Can Greenbone Products Detect this Vulnerability?
Yes, detection routines have been integrated into the Greenbone Community Feed and into the Greenbone Enterprise Feed starting with feed version 202112130808. This means that both our appliances and our cloud product are able to detect this vulnerability.
While detection routines are available, the complex nature of this vulnerability means that a detection cannot be guaranteed to find every single affected system or products. This especially applies to unauthenticated “remote” checks, for the following reasons:
- The product or service may only be vulnerable under very specific circumstances. As the Log4j library is very complex and highly configurable and it is used differently in many products, it is not possible to find all vulnerable instances through a remote check.
- Security configurations in the customer’s network may prevent a successful verification of the vulnerability.
- Products and services may also be affected indirectly.
A custom scan configuration for directly detecting this vulnerability as quickly as possible is also available through both feeds. Please note that the current scan configuration only contains active checks (remote and local). Package-version checks are not included to keep the scan configuration, and thus the scan time, minimal.
Is the Detection Included in the Greenbone Community Feed?
Yes. A basic detection for the vulnerability is included in both feeds. Additional vulnerability tests for potentially affected enterprise products are available through the Greenbone Enterprise Feed.
Which Detection Is Included in Which Feed?
Greenbone Enterprise Feed
We are continuously deploying vulnerability tests into the Greenbone Enterprise Feed, so the following list may be incomplete, but reports the status of 12:00 p.m.
Important: To get the most current information regarding your installation, you can search for ~CVE-2021-44228
in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (Log4Shell)
- Apache Log4j Detection (Linux/Unix SSH Login)
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (HTTP, Log4Shell) – Active Check
- Apache Struts 2.5.x Log4j RCE Vulnerability (Log4Shell)
- Apache Druid < 0.22.1 Multiple Vulnerabilities (Log4Shell)
- Apache Flink < 1.13.4, 1.14.x < 1.14.1 Log4j RCE Vulnerability (Log4Shell)
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (TCP, Log4Shell) – Active Check
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (UDP, Log4Shell) – Active Check
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (SIP, Log4Shell) – Active Check
- Apache Solr 7.x, 8.x Log4j RCE Vulnerability (Log4Shell) – Version Check
- Debian: Security Advisory for apache-log4j2 (DSA-5020-1)
- Debian LTS: Security Advisory for apache-log4j2 (DLA-2842-1)
- Elastic Logstash Log4j RCE Vulnerability (Log4Shell)
- Openfire < 4.6.5 Log4j RCE Vulnerability (Log4Shell)
- VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell) – Version Check
- VMware Workspace ONE Access Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
- VMware vRealize Operations Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
- VMware vRealize Log Insight Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
- VMware vRealize Automation Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
- VMware vRealize Orchestrator Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
- VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell) – Active Check
- ArcGIS Server <= 10.7.1 Log4j RCE Vulnerability (Log4Shell)
- Metabase < 0.41.4 Log4j RCE Vulnerability (Log4Shell)
- Splunk 8.1.x, 8.2.x Log4j RCE Vulnerability (Log4Shell)
- Wowza Streaming Engine <= 4.8.16 Log4j RCE Vulnerability (Log4Shell)
- SonicWall Email Security 10.x Log4j RCE Vulnerability (SNWLID-2021-0032, Log4Shell)
- IBM WebSphere Application Server Log4j RCE Vulnerability (6525706, Log4Shell)
Greenbone Community Feed
We are continuously deploying vulnerability tests into the Greenbone Community Feed, so the following list may be incomplete, but reports the status of 12:00 p.m.
Important: To get the most current information regarding your installation, you can search for ~CVE-2021-44228
in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (Log4Shell)
- Consolidation of Apache Log4j detections
- Apache Log4j Detection (Linux/Unix SSH Login)
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (HTTP, Log4Shell) – Active Check
- Debian: Security Advisory for apache-log4j2 (DSA-5020-1)
- Elastic Logstash Log4j RCE Vulnerability (Log4Shell)
- Debian LTS: Security Advisory for apache-log4j2 (DLA-2842-1)
- Openfire < 4.6.5 Log4j RCE Vulnerability (Log4Shell)
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (TCP, Log4Shell) – Active Check
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (UDP, Log4Shell) – Active Check
- Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (SIP, Log4Shell) – Active Check
About Authenticated/Unauthenticated Tests
Some version checks require authentication, others do not. Additionally, some could have both.
The respective information is available through the links returned by the search for ~CVE-2021-44228
in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.
The “Quality of Detection” contains information on the detection method. A value of “package (97 %)” indicates an authenticated check, other values like “remote_banner (80 %)” happen unauthenticated.
For more technical information about this see https://docs.greenbone.net/GSM-Manual/gos-21.04/en/reports.html#quality-of-detection-concept.
About Active Tests/Test Checking Version, QoD
You can see if it is an active check based on the QoD and the “Detection Method” on the web interface when viewing the vulnerability test details.
Note: Only systems which are actually logging input which can be modified by an attacker (e.g., specific HTTP request headers, URLs, …) are vulnerable.
The detection method, Quality of Detection, mitigation and lots of further details are available through the links returned by the search for ~CVE-2021-44228
in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.
Scanning for Nodes on Separate VRFs & VLANs
- Out-of-band (OOB) scanning is currently not possible. Please scan in each segment.
- We think of such an Out-of-band (OOB) communication/external interaction possibility to be integrated in the future.
Elmar Geese has many years of experience in IT and IT security. He has been a member of the Greenbone management team since 2018 and a member of the Greenbone AG Executive Board since 2023.
He is particularly interested in the topics of management, security and the management of security, so-called artificial and human intelligence, especially in the context of cybersecurity.
As a trained musician, he still enjoys playing various instruments and is a great fan of classical music.