Open source Log4j scanners are here to save the day

Multiple cybersecurity experts have now released free-to-use scanners to help organizations look for vulnerable Log4j instances.

The Cybersecurity and Infrastructure Security Agency (CISA), for example, has published a Log4j scanner on GitHub, based on a previous version built by security firm FullHunt.

CISA said this tool scans for two vulnerabilities - CVE-2021-44228 and CVE-2021-45046 - and offers support for DNS callback for vulnerability discovery and validation. It also provides automatic bug detection for HTTP POST Data parameters, as well as JSON data parameters.

Cybersecurity experts from Crowdstrike have also published a similar scanner called CAST.

Scanners have flaws

However, researchers have warned that none of these tools are perfect, and may end up missing a vulnerability or two.

Yotam Perkal, research lead at security firm Rezilion, analyzed these tools and published the results in a blog post. According to Perkal, many scanners missed out on some versions of the vulnerability. 

"The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files – which means that a shallow search for the file won't find it," wrote Perkal. "Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages."

Perkal tested a total of nine scanners, and while some performed better than others, none were able to identify all vulnerable Log4j deployments.

"It also reminds us that detection abilities are only as good as your detection method. Scanners have blindspots," Perkal concluded. "Security leaders cannot blindly assume that various open-source or even commercial-grade tools will be able to detect every edge case. And in the case of Log4j, there are a lot of edge instances in many places."

Log4Shell

Log4j is a Java logger that was recently discovered to hold a critical flaw, which could allow malicious actors (even those with very little skill) to run arbitrary code on millions of endpoints, and push out malware, ransomware and cryptominers.

Further investigation uncovered that Log4Shell, as the flaw is dubbed, is one of the most serious security vulnerabilities in recent history. Jen Easterly, CISA Director, described it as “one of the most serious” she’s seen in her entire career, “if not the most serious”.

So far, Apache has issued at least three patches for Log4j since the discovery of the flaw, and users are urged to update immediately.

Via ZDNet



from TechRadar - All the latest technology news https://ift.tt/3Ji435y
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us