Vulnerability Discovered in Log4j Software: Addressing the Critical Flaw - CVE-2021-44228 Mitigation and Countermeasures
In the wake of the critical zero-day vulnerability, Log4Shell, disclosed on December 9, 2021, affecting Apache Log4j2, cybersecurity company Qualys has released two new QIDs (QID 376157 and QID 376187) to help system administrators identify and mitigate this security risk.
QID 376157: Authenticated Check for Log4j Vulnerability
This QID checks for the presence of the vulnerable Log4j package on the system. However, it may not detect the vulnerability if the target does not have the vulnerable package installed via the package manager or if the locate command is not available on the target. Moreover, if the target has a log4j package with a version less than 2.15.0, the target is flagged as vulnerable.
QID 376187: Enhanced Reporting for Log4j on Linux
This QID provides detailed information about the Log4j installation on Linux systems, including the full path to the log4j-core jar, its version, JMSAppender class status, and the base directory. However, it will not filter instances where the JMSAppender class is not found.
QIDs on Other Operating Systems
On Windows systems, both QIDs may not be detected if access to WMI is restricted or if log4j is embedded inside other binaries. QID 376157 has been updated to support Windows Operating System, using WMI to enumerate the running process and identify log4j included in a process via the command line.
Limitations and Workarounds
If log4j is not in the output of on Linux or if it's installed with an OS package manager and the QID is still not detected, a debug scan is required to identify why. If access to or is restricted, or if log4j is embedded inside other binaries, these QIDs may not be detected.
Updates and Investigations
Updates to QID 376157 are expected as more vendors release updates for this vulnerability. Qualys continues to flag QID 376157 on systems that have a vulnerable version of Log4j, even if mitigation controls are in place. The company also continues to investigate other options to identify this vulnerability more effectively.
QID 730297: Remote Unauthenticated Check for Log4j Vulnerability
This QID is a remote unauthenticated check that sends a HTTP GET to the remote web server and tries to inject the payload to exploit the vulnerability. It tries to inject payload in various parameters like X-Api-Version, User-Agent, Cookie, Referer, Accept-Language, and others. However, it will not be detected if the application is not logging any one of the parameters mentioned.
Responsible Entity and Patch
The Apache Software Foundation is responsible for the update fixing the Log4j security vulnerability to version 2.16.0. System administrators are strongly encouraged to update their Log4j installations to this version as soon as possible.
Release of QIDs
The QIDs will be released at 11 PM ET on Dec 10, 2021.
In conclusion, the new QIDs from Qualys provide valuable tools for system administrators to detect and mitigate the Log4j vulnerability. However, it's essential to understand the limitations and potential workarounds for each QID to ensure comprehensive protection against this critical security risk.
Read also:
- Dual-function mattress offers both cooling and coziness at an affordable price.
- Top-Notch Weed Killers for Fences in 2025: Efficient Boundary Management Solutions for a Clean Fence Line
- Altruistic zeal and a drive to instigate beneficial transformation
- Is it secure for individuals with dementia to consume ice cream?
