Good Evening Everyone,
Could anyone help me understand how the Log4j NVTs detect this vulnerability?
I understand these NVTs as sending HTTP requests containing the payload ${jndi:ldap://ipaddress:port/a} and consider the vulnerability present if the target machine sends a request to the specified IP address and port. Are there details as to what the response looks like that triggers a positive detection?
We’ve detected Log4Shell on one system on a specific port. We narrowed our scan config and have seen a handful of additional positive detections, however, the positives are very intermittent. I would think this vulnerability would be exploitable close to 100% of the time if it existed.
Any help would be much appreciated. Thanks!