CISA releases a scanner to identify web services affected by Apache Log4j flaws

US CISA release of a scanner for identifying web services affected by two Apache Log4j remote code execution vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of an open-source scanner for identifying web services impacted by Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

“This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The information and code in this repository is provided “as is” and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.” reads the description for the project.

The tool allows security teams to scan their infrastructure for Log4J RCE vulnerability and discover web application firewall (WAF) bypasses that can result be exploited to execute arbitrary code on the target’s infrastructure.

Below is the list of features implemented in the log4j-scanner:

• Support for lists of URLs.
• Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).
• Fuzzing for HTTP POST Data parameters.
• Fuzzing for JSON data parameters.
• Supports DNS callback for vulnerability discovery and validation.
• WAF Bypass payloads.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released a joint advisory to provide mitigation guidance on addressing vulnerabilities in  Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105.

Government experts warn of sophisticated cyber threat actors which are actively scanning networks to potentially exploit the above flaws in vulnerable systems.

CISA also ordered Federal Civilian Executive Branch agencies to address the critical Log4Shell vulnerability in the Log4j library by December 24th, 2021.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]