CISA releases a scanner to identify web services affected by Apache Log4j flaws

US CISA release of a scanner for identifying web services affected by two Apache Log4j remote code execution vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of an open-source scanner for identifying web services impacted by Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

“This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The information and code in this repository is provided “as is” and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.” reads the description for the project.

The tool allows security teams to scan their infrastructure for Log4J RCE vulnerability and discover web application firewall (WAF) bypasses that can result be exploited to execute arbitrary code on the target’s infrastructure.

Below is the list of features implemented in the log4j-scanner:

Support for lists of URLs.
Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).
Fuzzing for HTTP POST Data parameters.
Fuzzing for JSON data parameters.
Supports DNS callback for vulnerability discovery and validation.
WAF Bypass payloads.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released a joint advisory to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105.

Government experts warn of sophisticated cyber threat actors which are actively scanning networks to potentially exploit the above flaws in vulnerable systems.

CISA also ordered Federal Civilian Executive Branch agencies to address the critical Log4Shell vulnerability in the Log4j library by December 24th, 2021.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.