1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Open source Log4j scanners are here to save the day

    From TechnologyDaily@1337:1/100 to All on Fri Dec 24 10:15:04 2021
    Open source Log4j scanners are here to save the day

    Date:
    Fri, 24 Dec 2021 10:01:46 +0000

    Description:
    Multiple free-to-use scanners have popped up, but none are perfect.

    FULL STORY ======================================================================

    Multiple cybersecurity experts have now released free-to-use scanners to help organizations look for vulnerable Log4j instances.

    The Cybersecurity and Infrastructure Security Agency (CISA), for example, has published a Log4j scanner on GitHub, based on a previous version built by security firm FullHunt.

    CISA said this tool scans for two vulnerabilities - CVE-2021-44228 and CVE-2021-45046 - and offers support for DNS callback for vulnerability discovery and validation. It also provides automatic bug detection for HTTP POST Data parameters, as well as JSON data parameters.

    Cybersecurity experts from Crowdstrike have also published a similar scanner called CAST. Scanners have flaws

    However, researchers have warned that none of these tools are perfect, and
    may end up missing a vulnerability or two.

    Yotam Perkal, research lead at security firm Rezilion, analyzed these tools and published the results in a blog post. According to Perkal, many scanners missed out on some versions of the vulnerability.

    "The biggest challenge lies in detecting Log4Shell within packaged software
    in production environments: Java files (such as Log4j) can be nested a few layers deep into other files which means that a shallow search for the file won't find it," wrote Perkal. "Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages."

    Perkal tested a total of nine scanners, and while some performed better than others, none were able to identify all vulnerable Log4j deployments.

    "It also reminds us that detection abilities are only as good as your detection method. Scanners have blindspots," Perkal concluded. "Security leaders cannot blindly assume that various open-source or even commercial-grade tools will be able to detect every edge case. And in the
    case of Log4j, there are a lot of edge instances in many places." Log4Shell

    Log4j is a Java logger that was recently discovered to hold a critical flaw, which could allow malicious actors (even those with very little skill) to run arbitrary code on millions of endpoints , and push out malware , ransomware and cryptominers.

    Further investigation uncovered that Log4Shell, as the flaw is dubbed, is one of the most serious security vulnerabilities in recent history. Jen Easterly, CISA Director, described it as one of the most serious shes seen in her
    entire career, if not the most serious.

    So far, Apache has issued at least three patches for Log4j since the
    discovery of the flaw, and users are urged to update immediately. Here's our list of the best firewalls on the market

    Via ZDNet



    ======================================================================
    Link to news story: https://www.techradar.com/news/open-source-log4j-scanners-are-here-to-save-the -day/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)