Qualys : Out-of-Band Detection for Log4Shell

Log4j is the de facto logging library for all Java applications, as Log4j is used in most Java-based applications. The challenge is that Java applications that use the log4j-vulnerable library can be coded, packaged, and deployed using different methods - this introduces a challenge for detection logic.

Qualys has released multiple QIDs (see blog for details) to detect Log4Shell. Those QIDs detection logic assumes best practices were used to embed the log4j library inside a Java application, however, as explained, it is not guaranteed that developers will use best practices to embed the Log4j library in their code, as such an in-depth approach for detection is required to complement those QIDs.

To help our customers, the Qualys team has created an out-of-band script for Linux and a Utility for Windows which can be run on Windows and Linux and perform a "deep" file scan to find all instances of a vulnerable log4j library. The benefit of such a tool is that it should find all instances of a vulnerable log4j library regardless of the Java application coding, packaging, and deployment method used. The disadvantage is that this tool performs a "deep" search on the entire hard drive, including archives, which is a time-consuming and CPU-consuming task. As such, we recommend running this tool "out-of-band".

Note that any Java application may be vulnerable to Log4Shell, Java client applications may also be vulnerable as this vulnerability is not exclusive for web servers.

Qualys has open-sourced the detection utility/script to help even if you are not a Qualys customer. The script, source code, and binaries are available on GitHub:

• Windows: https://lnkd.in/gA9HpSBH
• Linux: https://lnkd.in/gmWMiTe5

How it works:

1. The utility/script scans the entire hard drive and looks for file JndiLookup.class (this file indicates that log4j with the vulnerability may be present)
2. Once this file is found, the utility/script validates the version of the log4j jar based on its manifest.
   1. The utility/script will search for this class inside all Jars, nested Jars, and other Java-based archives.
3. Vulnerable log4j jars will be reported to file.

QID to process utility output

1. A new QID (QID 376160) has been created to parse the output of these scripts.
2. The QID reads the output as written by the script/utility and reports the findings.

Note: The QID requires the utility/script to run on the asset before the Qualys scanner scans for the QID.

How to use:

• Download the script or utility from the corresponding GitHub link
  • GitHub - Qualys/log4jscanwin: Log4j Vulnerability Scanner for Windows - note that a compiled version is available on the GitHub page
  • GitHub - Qualys/log4jscanlinux
• Run the utility/script on every asset
  • Instructions on how to run the utility/script can be found on the GitHub page
• The results will be stored (by the utility or script) to disk. See GitHub page for the file location per OS.
• The next time a VM scan runs, it will pick up the result of the script/utility and post the QID in case the results of the script/utility indicate a vulnerable asset.

Note:

Our engineers are working on adding a method to run those in-depth searches directly from the Qualys platform without the need to use an external tool. We will update this blog as soon as this solution is available for our customers.

Related