Security News > 2021 > December > CISA releases Apache Log4j scanner to find vulnerable apps

CISA releases Apache Log4j scanner to find vulnerable apps
2021-12-22 15:23

The Cybersecurity and Infrastructure Security Agency has announced the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

"Log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities," the cybersecurity agency explains.

The agency was also behind a joint advisory issued today by cybersecurity agencies worldwide and US federal agencies with mitigation guidance on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j vulnerabilities.

CISA's also spearheading a push for urgently patching devices vulnerable to Log4Shell attacks to block threat actors' attempts to exploit Log4Shell vulnerable systems and infect them with malware.

On Friday, CISA ordered Federal Civilian Executive Branch agencies to patch their systems against Log4Shell until December 23.

The cybersecurity agency also recently added the flaw to the Known Exploited Vulnerabilities Catalog, thus also requiring expedited action from federal agencies to mitigate this critical flaw until December 24.


News URL

https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-scanner-to-find-vulnerable-apps/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-18 CVE-2021-45105 Uncontrolled Recursion vulnerability in multiple products
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups.
network
high complexity
apache netapp debian sonicwall oracle CWE-674
5.9
2021-12-14 CVE-2021-45046 Expression Language Injection vulnerability in multiple products
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
network
high complexity
apache intel cvat siemens debian sonicwall fedoraproject CWE-917
critical
9.0
2021-12-10 CVE-2021-44228 Deserialization of Untrusted Data vulnerability in multiple products
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 305 59 859 659 313 1890