How can MSSPs, cybersecurity professionals and threat hunters detect the Log4j zero day vulnerability (known as Log4shell)? Here's a list of Log4j vulnerability scanner tools from third-party software companies (sorted alphabetically).
Still, keep a few things in mind before you navigate the list of potential options. For starters, some vulnerability scanners and associated tools are generating false positives. Ask around to determine accuracy rates before you open your wallet or commit to a particular approach.
Another item to keep in mind: Certain tools may specialize in different areas. A handy list -- shared by Ken Smiley, director of special projects at Tanium, notes that various industry tools may or may not focus on such areas as:
- Identification - Identify vulnerable instances of the Apache Log4j utility, search for references to the impacted library in common file formats.
- Detection - Detect Instances of Exploitation.
- Remediation - Remediate the vulnerability and harden your systems.
- Report - Report on your exposure and remediation efforts over time.
Amid that context, here are some potential Log4j vulnerability scanner tools for MSSPs and MSSPs.
1. Amazon Inspector and AWS: The Amazon Inspector team has created coverage for identifying the existence of this vulnerability in your Amazon EC2 instances and Amazon Elastic Container Registry Images (Amazon ECR), according to Amazon. With the new Amazon Inspector, scanning is automated and continual, the company said. Continual scanning is driven by events such as new software packages, new instances, and new common vulnerability and exposure (CVEs) being published, AWS added.
2. Arctic Wolf made the Log4Shell Deep Scan tool publicly available on GitHub. Log4Shell Deep Scan enables detection of both CVE-2021-45046 and CVE-2021-44228 within nested JAR files, as well as WAR and EAR files.
3. Bi.Zone developed a scanner that uses YARA rules. The tool, deployed now on GitHub, scans the memory of Java processes for Log4j signatures. The scanner functions directly on the host, rather than through the Internet. The scan output is a list of hosts that contain applications with Log4j, which enables MSSPs and users to personally check if the library version is vulnerable. If it does turn out to be vulnerable, the BI.ZONE WAF cloud service will help you protect against external attacks using Log4j. It is not going to eliminate the need to install patches, but it will mitigate the risk of successful Log4Shell exploitation.
4. Binary Defense: Randy Pargman, VP of threat hunting and counterintelligence at Binary Defense, developed this open source tool. Also, Pargman described why he developed the tool in a LinkedIn update.
5. CISA: The Cybersecurity and Infrastructure Security Agency (CISA) modified a Log4J scanner created by security company FullHunt and got help from other researchers like Philipp Klaus and Moritz Bechler, ZDnet reported.
7. CyberCNS: The company's vulnerability scanner supports detection of the Log4j vulnerability, according to a CyberCNS home page message. Hundreds of MSPs and MSSPs run the CyberCNS Vulnerability Manager to help small businesses meet regulatory and compliance frameworks, the company says.
9. Datto, the MSP software, backup appliance and technology provider, has created the Log4Shell Enumeration, Mitigation and Attack Detection Tool for Windows and Linux. The tool downloads and executes the latest detection methods published by Florian Roth.
10. F-Secure: The company's F-Secure Elements Vulnerability Management platform allows MSPs and MSSPs to identify Log4j vulnerabilities.
12. Liongard: The automation software company, focused on MSPs, released a Log4j Audit report within the Liongard platform to make it easy for partners to see how the Log4j vulnerabilities are impacting their customers and their systems, Liongard to MSSP Alert.
13. Microsoft Defender for Endpoint: Multiple updates...
- The Microsoft 365 Defender portal now features a consolidated Log4j dashboard to help customers identify and remediate files, software and devices that are exposed to the Log4j vulnerabilities. Source: Microsoft.
- Microsoft has updated the Threat and Vulnerability Management capabilities in Microsoft Defender for Endpoint to surface Log4j library components that are vulnerable to CVE-2021-44228. These capabilities automatically discover vulnerable Log4j libraries in products and services installed on Windows clients and Windows servers.
14. Qualys is making its Web Application Scanning (WAS) solution available free for 30 days, beginning December 17, 2021. The tool can scan web applications and APIs for the Log4Shell (CVE-2021-44228) vulnerability, Qualys included.
17. Tenable: The company has released scan templates for Tenable.io, Tenable.sc, Tenable.io WAS and Nessus Professional which are p"re-configured to allow quick scanning for this vulnerability." Dashboards are also available in Tenable.io and Tenable.sc.
18. Trend Micro Log4j Vulnerability Tester: This web-based tool can help identify server applications that may be affected by the Log4Shell (CVE-2021-44228, CVE-2021-45046) vulnerability.
Bonus - Log4j Guidance From CISA: Here is regularly updated Log4j vulnerability mitigation guidance from the CISA (Cybersecurity and Infrastructure Security Agency).
Note: This blog originally published December 19, 2021. Updated regularly thereafter with additional Log4j vulnerability scanners. Send your suggested updates for consideration to MSSP Alert Editorial Director Joe Panettieri ([email protected]).