Upcoming Enhancements to Log4j QIDs

Himanshu Kathpal

Qualys is working on enhancing detection for Log4j QIDs and further improving the reporting of the QIDs to provide more comprehensive information. The changes will include the following improvements:

1. Linux Detection for Authenticated QIDs, i.e., QIDs 376157, 376178, 376194, and 376209, will also check for JNDI lookup class status, i.e., if the class file is present inside the log4j-core jar or not. Furthermore, QIDs 376157 and 376178 will be enhanced on Linux not to report instances on which the JNDI lookup class has been removed.

2. The reporting of Authenticated QIDs and Qualys Log4j scan utility-based QIDs on Linux will have updated reporting. Refer to the screenshots below:

Current Reporting

Enhanced Reporting

The results will contain four columns:

  • PATH: This column will contain the full path to the log4j-core jar
  • VERSION: This column will contain the version extracted from the log4j-core jar file
  • JDNI CLASS STATUS: This column will contain information regarding JNDI lookup class status and would have the following value:
    • JNDI_CLASS_FOUND
    • JNDI_CLASS_NOT_FOUND
    • JNDI_CLASS_STATUS_UNKNOWN
  • BASE_DIR: This column will contain the base directory extracted from the PATH.

QIDs: 376157, 376178, 376194, 376209, 376160, 45515, 376193, 376195 and 376210

The enhancement is applicable for both remote scans and Cloud Agents. The changes will need Cloud Agent 2.4 or later. The changes will be available by the end of January 2022.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *