QID 376160

Date Published: 2021-12-16

QID 376160: Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) Detected Based on Qualys Log4j scan Utility

A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).

Affected versions:
Log4j versions 2.x prior to and including 2.14.1 (exclude 2.12.x)
Log4j versions 2.12.x prior to 2.12.2

QID Detection: (Authenticated)
Operating System: Windows
This QID reads the file generated by Qualys utility Qualys Log4j Scan Utility for Windows
The QID reads 1st 100000 characters from the generated out put file.

QID Detection: (Authenticated)
Operating System: Linux
This QID reads the file generated by Qualys utility Qualys Log4j Scan Utility for Linux to find vulnerable instances of Log4j.

Successful exploitation of this vulnerability could lead to remote code execution (RCE) on the target.

  • CVSS V3 rated as Critical - 10 severity.
  • CVSS V2 rated as Critical - 9.3 severity.
  • Solution
    The vendor has released a fix for this vulnerability and the customers are advised to update their Log4j to the version 2.15.0. If updating the version is not possible, please refer to the mitigations mentioned here Log4j.
    Workaround:
    In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
    Vendor References

    CVEs related to QID 376160

    Software Advisories
    Advisory ID Software Component Link
    NA URL Logo logging.apache.org/log4j/2.x/download.html