I recently started deploying and using GVM 22.5.0 for scanning, but I found that several Apache Log4j vulnerabilities appeared after scanning.
To my surprise, Apache Log4j was scanned from port 3268 and port 5357 of Windows Server to port 9100 of the GVM machine, which made me wonder if the scan results were normal.
I tried to search for Apache Log4j false positive issues in Greenbone forum, but it seems that only I have this problem.
I tried to make the same HTTP request and get any information through netcat according to the description of Detection Result in the Report, but it was not successful.
Perhaps I did not do the right thing, after all, the Detection Method describes:
Sends various crafted HTTP requests to the web root of the remote web server and checks the responses.
Now I am still confused about this issue, I hope I can understand:
1.Is it possible that this is a false positive?
How can I improve it? Or should I just ignore the Log4j scan results?
2.How can I reproduce this report item? So that I can report this vulnerability to the owner of the machine or service, and let the other party trust the results I provide, instead of letting them tell me that this machine or service does not use Log4j so there will be no vulnerabilities.
3.The solution in the item describes
If Apache Log4j is embedded into a specific product please contact the vendor of the product for additional info on the availability of updates.
Because the item that was scanned for vulnerabilities is not related to Log4j in my understanding, it is difficult for me to locate where Log4j is embedded and how to update that product.
How should I fix it?
I would be grateful for any answers you can provide.