Testing for CVE-2021-44228 (Log4j/Log4Shell vulnerability)

Is this CVE detected or soon to be?

7 Likes

Hi @JoeLouis and welcome to the forum :slight_smile:

I’ve moved your post into the Greenbone Source Edition category for better visibility (and added to the post title).

Yes, CVE-2021-44228 (log4j/Log4Shell vulnerability) detection is available in the Greenbone feeds. Here are links to more information:

(English)

(German)

Update from 2021-12-20: vulnerability tests for products running on Microsoft Windows are now available.

Note: The tests check the existence of log4j and its version. A separate vulnerability test may not be available for each affected application, but all log4j files are found and reported (/path-to-log4j-file/).

The issued installation paths must be checked and, if necessary, the vendor must be contacted. It must be checked whether updates are already available for the respective application and whether the find is relevant.

PowerShell execution privileges on a target system are required for the account used in an authenticated scan. Some vulnerability tests execute PowerShell commands to increase the accuracy of the results, which require permissions for the duration of a scan.

8 Likes

I am also very urgent to pay attention to this matter

Hi @xdli, welcome to the forum :slight_smile:

your post was in the auto-moderation queue so it’s appearing in the wrong thread order, but yes, it’s detected and there is more info in the links above. Hope that helps!

Hi,
the updated feeds doesn’t contain CVE-2021-44228 Greenbone Security Manager as described in the article.
Do you know when will it be available ?

2 Likes

Hi DeeAnn,
where can I get the special scan config XML file?

5 Likes

Hi @PatSch and welcome to the forum, :slight_smile:
the scanning config is being worked on/reviewed (edit- see post 23 in this thread).

Hi @bbascou, :slight_smile:

I think that is a demonstration-only page for the user interface and if so, unsure which feed it uses or how current it would be. The main security and community feed distributions should have the updates.

The CVE is now listed, thank you.

1 Like

Thanks for the quick work!

For a successful detection of this risk, the scanner host needs to be reachable by the target host via TCP.

Could we please get more details on this requirement? Is there a specific port that needs to be open on the scanner host? How can we test that our setup covers this requirement? Thank you!

1 Like

Hi @bellamy and thank you! I’m checking.

@bellamy got the answer- you shouldn’t have to open any ports, but if for example you are running the scanner behind a NAT or using a firewall (or if anything is in the way of the communication back from the remote host to the server) detection won’t work.

I have just made an update, but I can’t see the cve-2021-44228. What do I do

Hi @pbp and welcome to the forum :slight_smile:

Did you update the feed itself, or the software?

just the feed

do I need to upgrade the software

sudo -Hiu gvm greenbone-feed-sync --type CERT

I don’t so for this specifically, but it’s good to be running the most current release just to make sure everything is working correctly.

--type CERT updates DFN-Cert und Cert-Bund data. This is likely not what you want. To get up to date cve data you need to use --type SCAP and to get the VT to need to run greenbone-nvt-sync.

2 Likes

Thanks and thanks!

1 Like