gb_log4j_CVE-2021-44228_*.nasl payload with FQDN hostname instead of ownip possible for containers?

Hi there,

first thanks for your fast reaction in general on this treat.

We scanned our network for log4shell from a container version of Greenbone (Docker Hub) and found no results. At a first look a nice result, but looking deeper into it we found that the payload has the form:

2021-12-20 10:39:41.354 INFO 1 --- [nio-8080-exec-3] HelloWorld : Received a request for API version ${jndi:ldap://172.18.0.3:15006/a}

The address 172.18.0.3 is the IP of the container Greenbone runs in and thus is not reachable by the outside. The IP seems to be random. I found the 4 NASL files at /data/var-lib/openvas/plugins/2021/apache/gb_log4j_CVE-2021-44228_*.nasl all contain this payload definition:

payload = "${jndi:ldap://" + ownip + ":" + rnd_port + "/a}";

A random port can’t be published by the container at runtime so there are my questions:

  • When I change the payload locally - will this have any effect? Are the NASL files loaded when being executed or are they loaded at program start?
  • Could there be a way to configure these settings, address and port, in the web GUI?

Best regards
Henri

Hi @Henri and welcome to the forum :slight_smile:

This version isn’t maintained by Greenbone so I would contact the maintainer for insight. Thanks!