New Options Profiles for Log4Shell Detection

Himanshu Kathpal

Last updated on: December 21, 2022

We have now added two new option profiles to our library for Log4Shell vulnerabilities. Option profiles define the settings you want to use for your scan. These new option profiles are tuned to quickly detect the Log4Shell vulnerability on assets in your environment.

The following two pre-configured option profiles are now available in the library to help you get started:

  1. Log4Shell – Authenticated Scan
  2. Log4Shell – Unauthenticated Scan

You can import these profiles into your account and use them as-is or edit them as needed.

Importing Option Profiles

To import our option profiles, go to Scans > Option Profiles > New and select Import from Library.

Choose from the Log4ShellAuthenticated Scan or Log4ShellUnauthenticated Scan options and click Import.

Note: Use the Log4Shell – Authenticated Scan option profile for authenticated scans and Log4Shell – Unauthenticated Scan option for unauthenticated scans. For information on authenticated and unauthenticated scans, refer to the Why Use Host Authentication? section of the Online Help.

We recommend making the option profile Global to make it available to all users in the subscription.

The Log4Shell option profiles come with pre-defined search lists that include Log4Shell QIDs. When you scan using these option profiles, the scanner first gathers information about the host and then scans for all QIDs listed with these option profiles. For information on QIDs listed with these option profiles, refer to the Search List section.

The Scan Settings tab in the Option Profile information provides you with an option to view the complete list of QIDs that are included/associated with the option profile.

Review the other tabs of these option profiles to confirm it suits your requirement. Note that these option profiles set the performance of the scan as Normal. If you are concerned about the performance impact, Qualys recommends you change these settings to match your requirement.

When you are ready to scan your environment for Log4Shell vulnerabilities, run a scan and ensure to select these option profiles you just imported. You can associate the option profile when you trigger the scan. For more information on scans, refer to the Scan for Vulnerabilities topic in the Online Help.

Once the scan is completed, you can view the scan report to know the assets that have been affected by the vulnerabilities. Go to the reports list and check to be sure your report is finished – the status will show “Finished”. For more information on scan reports, refer to the Reporting on your Vulnerabilities and Assets topic in the Online Help.

Search Lists

Qualys has released 2 search lists to cater to QIDs associated with Log4Shell:

  1. Log4Shell Dynamic Search List: This is a dynamic search list that searches for vulnerabilities related to Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell). This search list includes the following CVE IDs:
    • CVE-2021-45046
    • CVE-2021-44228
    • CVE-2021-4104
    • CVE-2021-45105
  2. Log4Shell Static Search List: This is a static search list that helps in the detection of Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell). This search list includes the following QIDs:
QID NumberQID Title
45006Traceroute
45017OS Detected
70000NetBIOS name accessible
82023OpenTCPServicesList
45039Hostnamefound
6DNSHostName
82044NetBIOS
34011Firewall detected
43007Network adapter MAC address
45038Host scan time
82062NetBIOS Workgroup name detected
45141Installed Packages on Unix and Linux Operating Systems
45179Report Qualys Host ID Value
90235Installed Applications Enumerated From Windows Installer
45456Windows WMI Authentication Level status
34011Firewall detected
45484Correlation id service running
48143Correlation id detected
Share your Comments

Comments

Your email address will not be published. Required fields are marked *