Log4j Scanner (CVE-2021-44228 - Log4Shell vulnerability)

The Log4j vulnerability stems from improper input validation in the JNDI functionality of Apache Log4j versions 2.14.1 and earlier. The "message lookup substitution" feature, enabled by default in these versions, allows attackers to load and execute arbitrary Java code from a remote LDAP server.

What makes this an even bigger problem for security teams is that JNDI lookups support multiple protocols, including LDAP, LDAPS, DNS, and RMI.

Therefore, if an attacker can control the log messages and inject arbitrary code via input parameters or HTTP headers, they can create a malicious Java class on a server they control.

The vulnerable server would then use the lookup method to execute this malicious Java class from the LDAP/LDAPS/DNS/RMI server.

This Log4j vulnerability scanner uses a payload like: ${jndi:dns://${hostName}.private-dns-server} or ${${::-j}${::-n}${::-d}${::-i}:${::-d}${::-n}${::-s}://{hostName}.private-dns-server} and injects it into the URL or custom headers.

To scan for Log4j, this tool uses some of the detection capabilities from our Network Vulnerability Scanner, but the paid version of our Website Vulnerability Scanner can also find the Log4j vulnerability.

The Website Scanner inserts the payload in various locations within the target application, including the Base URL, HTTP headers (over 50 headers), and all input fields in HTML forms (e.g., username, search, etc.), which it discovers by crawling the app. If the application is vulnerable, the Log4j checker mechanism will trigger a DNS request to one of the private DNS servers hosted in our cloud environment.

If you’re interested in even more details around this, we explained how to check for the Log4j vulnerability in a dedicated article.

Log4j vulnerability (CVE-2021-44228) severity

Even though it’s been a few years since CVE-2021-44228 emerged in December 2021, many security and IT folks are still looking for quick ways to scan for the Log4j vulnerability. That’s because this security issue has a high severity CVSSv3 score of 10 and it is included in the Known Exploited Vulnerabilities database from the Cybersecurity and Infrastructure Security Agency (CISA).

How to fix the Log4j vulnerability - CVE-2021-44228 mitigation

We recommend updating the Log4j library to at least version 2.17.1.

This version not only fixes the vulnerability but also addresses additional security issues found after the initial patch. The initial fix was incomplete in certain non-default configurations which is why CVE-2021-45046 appeared.

If you’ve already applied the initial fix and are unsure if the subsequent Log4j RCE (CVE-2021-45046) persists in your systems, you can use the Deep scan option of our Network Vulnerability Scanner (paid) to run another test and confirm - or disprove - it.

Log4j detection references

• https://pentest-tools.com/blog/how-we-detect-log4shell
• https://pentest-tools.com/blog/log4shell-scanner-detect-cve-2021-44228
• https://pentest-tools.com/vulnerabilities-exploits/log4j-remote-code-execution-log4shell-cve-2021-44228_110

Now that you’ve found how to scan for the Log4j vulnerability quickly and at zero cost, maybe you’re curious what you’ll get after the scan finishes.

Here’s a sample report from our free Log4j vulnerability scanner, which you can export as PDF. This is the kind of proof and remediation advice you’ll get if our Log4j vulnerability scanner finds any vulnerable systems in your infrastructure: