The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner for identifying vulnerable web servers affected by the recently disclosed Apache Log4j remote code execution vulnerabilities (CVE-2021-44228 and CVE-2021-45046).
“Log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities,” CISA explained.
According to the project page on GitHub, the log4j-scanner is a fully automated, accurate, and extensive scanner for finding vulnerable Log4j hosts. The tool can be used by security teams to scan their infrastructure for Log4j RCE vulnerabilities, and test for WAF bypasses that can lead to code execution on the organization's environment.
The scanner supports the following features:
Support for lists of URLs.
Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).
Fuzzing for HTTP POST Data parameters.
Fuzzing for JSON data parameters.
Supports DNS callback for vulnerability discovery and validation.
WAF Bypass payloads.
On Wednesday, the security agencies in the U.S., the UK, Australia, Canada, and New Zealand released a joint Cybersecurity Advisory to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j logging library: CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105, of which two bugs - Log4Shell and CVE-2021-45046 - are known to have been under active exploitation.
The vulnerabilities can allow attackers to remotely execute code on vulnerable systems, and according to security researchers, nation-state hackers and ransomware gangs are actively taking advantage of these bugs in their attacks.
The Belgian Ministry of Defense had suffered a cyberattack last week involving the exploitation of the Log4shell vulnerability. The attack disrupted part of the Ministry’s computer network, including the email system.