Out-of-Band Detection for Log4Shell

Eran Livne

Last updated on: December 23, 2022

Log4j is the de facto logging library for all Java applications, as Log4j is used in most Java-based applications. The challenge is that Java applications that use the log4j-vulnerable library can be coded, packaged, and deployed using different methods – this introduces a challenge for detection logic.

Qualys has released multiple QIDs (see blog for details) to detect Log4Shell. The QID detection logic assumes best practices were used to embed the log4j library inside a Java application, however, as explained, it is not guaranteed that developers will use best practices to embed the Log4j library in their code, as such an in-depth approach for detection is required to complement those QIDs.

To help our customers, the Qualys team has created an out-of-band script for Linux and a Utility for Windows which can be run on Windows and Linux and perform a “deep” file scan to find all instances of a vulnerable log4j library. The benefit of such a tool is that it should find all instances of a vulnerable log4j library regardless of the Java application coding, packaging, and deployment method used. The disadvantage is that this tool performs a “deep” search on the entire hard drive, including archives, which is a time-consuming and CPU-consuming task. As such, we recommend running this tool “out-of-band”.

Note that any Java application may be vulnerable to Log4Shell, Java client applications may also be vulnerable as this vulnerability is not exclusive for web servers. 

Qualys has open-sourced the detection utility/script to help even if you are not a Qualys customer. The script, source code, and binaries are available on GitHub:

How it works:

  1. The utility/script scans the entire hard drive and looks for file JndiLookup.class (this file indicates that log4j with the vulnerability may be present)
  2. Once this file is found, the utility/script validates the version of the log4j jar based on its manifest.
    1. The utility/script will search for this class inside all Jars, nested Jars, and other Java-based archives. 
  3. Vulnerable log4j jars will be reported to file. 

QID to process utility output 

  1. A new QID (QID 376160) has been created to parse the output of these scripts. 
  2. The QID reads the output as written by the script/utility and reports the findings. 

Note: The QID requires the utility/script to run on the asset before the Qualys scanner scans for the QID.

How to use:

  • Download the script or utility from the corresponding GitHub link
  • Run the utility/script on every asset
    • Instructions on how to run the utility/script can be found on the GitHub page
  • The results will be stored (by the utility or script) to disk. See GitHub page for the file location per OS.
  • The next time a VM scan runs, it will pick up the result of the script/utility and post the QID in case the results of the script/utility indicate a vulnerable asset.

Note

Our engineers are working on adding a method to run those in-depth searches directly from the Qualys platform without the need to use an external tool. We will update this blog as soon as this solution is available for our customers.

Show Comments (9)

Leave a Reply to Matthew Cancel reply

Your email address will not be published. Required fields are marked *

  1. Unfortunately it does not appear the scanner can be run silently, which is jarring for the thousands of users who will see the cmd window spawn during a scan.

  2. i’m told that Support can activate the facility in every cloud agent on a customer’s subscription, however there could be an overhead to device performance of the deep dive search.
    I’ve asked our TAM to check this, and hopefully this blog can be updated

  3. “Our engineers are working on adding a method to run those in-depth searches directly from the Qualys platform without the need to use an external tool.”

    Is there an update for adding this directly from the platform?

  4. Customer wants to exclude a some directories on their assets to be scanned by this script. Can you please let know how this is possible?

  5. Could you please create an video on the implementation of this process and share it. Which would really be useful.
    Moreover the script which we are asked to download from Github, will that create any impact on the performance of the asset. Since we may have to run that particularly on servers and DB’s – any review on this please.