Upcoming Enhancements to Log4j QIDs

Himanshu Kathpal

Qualys is working on enhancing detection for Log4j QIDs and further improving the reporting of the QIDs to provide more comprehensive information. The changes will include the following improvements:

1. Linux Detection for Authenticated QIDs, i.e., QIDs 376157, 376178, 376194, and 376209, will also check for JNDI lookup class status, i.e., if the class file is present inside the log4j-core jar or not. Furthermore, QIDs 376157 and 376178 will be enhanced on Linux not to report instances on which the JNDI lookup class has been removed.

2. The reporting of Authenticated QIDs and Qualys Log4j scan utility-based QIDs on Linux will have updated reporting. Refer to the screenshots below:

Current Reporting

Enhanced Reporting

The results will contain four columns:

  • PATH: This column will contain the full path to the log4j-core jar
  • VERSION: This column will contain the version extracted from the log4j-core jar file
  • JDNI CLASS STATUS: This column will contain information regarding JNDI lookup class status and would have the following value:
    • JNDI_CLASS_FOUND
    • JNDI_CLASS_NOT_FOUND
    • JNDI_CLASS_STATUS_UNKNOWN
  • To check whether the vulnerable JNDI lookup class inside a log4j instance has been deleted or not, Qualys relies on either one of the commands:

    unzip -l <LOG4J_JAR_FILE>
    jar -tf <LOG4J_JAR_FILE>
    zip -sf <LOG4J_JAR_FILE>

    These commands are used to list the files inside the log4j core jar which helps in checking if JNDI lookup class is present or not. Above commands are not present by default on some flavors of Linux/Unix, in that case Qualys cannot verify if the class has been deleted or not. In such cases the status for JNDI class is displayed as JDNI_CLASS_STATUS_UNKNOWN.
  • BASE_DIR: This column will contain the base directory extracted from the PATH.

QIDs: 376157, 376178, 376194, 376209, 376160, 45515, 376193, 376195 and 376210

The enhancement is applicable for both remote scans and Cloud Agents. The changes will need Cloud Agent 2.4 or later. The changes will be available by the end of January 2022.

The enhancements are available from: VULNSIGS-2.5.392-2.

Show Comments (4)

Comments

Your email address will not be published.

  1. Does this improvement address CVE-2021-4104 false positives as well? It appears Log4j 1.2.x is being reported as vulnerable regardless of whether it is configured to use JMSAppender or not. Reporting EoS/Obsolete is one thing but flagging it as vulnerable is a different story.