Testing for CVE-2021-44228 (Log4j/Log4Shell vulnerability)

panajo1017 · December 18, 2021, 12:53am

Hi,

To reduce false positive and false negative, why don’t you check for connection back twice, or even thrice? Then you have a plugin for reliable reports, one for unreliable reports.

DeeAnn · December 21, 2021, 10:11am

Update (also included in the first part of the thread):

Update from 2021-12-20: vulnerability tests for products running on Microsoft Windows are now available.

Note: The tests check the existence of log4j and its version. A separate vulnerability test may not be available for each affected application, but all log4j files are found and reported (/path-to-log4j-file/).

The issued installation paths must be checked and, if necessary, the vendor must be contacted. It must be checked whether updates are already available for the respective application and whether the find is relevant.

PowerShell execution privileges on a target system are required for the account used in an authenticated scan. Some vulnerability tests execute PowerShell commands to increase the accuracy of the results, which require permissions for the duration of a scan.

Source: In-Depth Information About Greenbone's Log4j Vulnerability Test Coverage - Greenbone

winterk · December 21, 2021, 3:34pm

Hey @DeeAnn , is there any planned actions to increase the accuracy of http active plugin , it’s reporting many FP’s .

yeet · December 22, 2021, 10:53am

I am using a fully updated version of OpenVAS, the CVE is listed, but the scanner does not detect it.
I am running a docker container, which is for sure vulnerable: GitHub - kozmer/log4j-shell-poc: A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability.
In the IDS of my Unifi, I see that the scanner is trying to detect it. But no result is shown.

DeeAnn · December 23, 2021, 12:17pm

Hi @winterk, I’m not sure which plugin that is, did it come default with the install or is it an external community plugin?

Hi @yeet, this post from @cfi up-thread offers some insight on scanning against proof-of-concept containers- Testing for CVE-2021-44228 (Log4j/Log4Shell vulnerability) - #55 by cfi

winterk · December 23, 2021, 2:49pm

@DeeAnn t’s a community plugin 2021/apache/gb_log4j_CVE-2021-44228_http_active.nasl)

BTW with new feed it’s not working at all as the function is not defined there somewhere:
2021/apache/gb_log4j_CVE-2021-44228_http_active.nasl)(pcap_func.inc:380) In function ‘pcap_src_ip_filter_from_hostnames()’: Undefined function ‘get_host_names’

How this error could get into the community feed ?

cfi · December 23, 2021, 7:27pm

This means that you’re using an outdated version of GVM (GVM 10 or even older like OpenVAS 9) which has reached it’s End of Life at least one year ago.

Please plan an upgrade to the still supported GVM version 21.04 ASAP as there are no guarantees that the feed won’t be incompatible with EOL versions of GVM.