Qualys is working on enhancing the Linux detection for Log4j 1.2 QID 376187 and further improving the reporting of the QID to provide more comprehensive information. The changes will include the following improvements:
- The Linux Detection will check for JMSAppender class status, i.e., if the class file is present inside the log4j jar or not. This will help in filtering out instances that have the mitigation applied i.e., deleting the JMSAppender class.
- The QID on Linux will have enhanced reporting. Refer to the screenshots below:
The results will contain four columns:
- PATH: This column will contain the full path to the log4j-core jar
- VERSION: This column will contain the version extracted from the log4j-core jar file
- JMS CLASS STATUS: This column will contain information regarding JNDI lookup class status and would have the following value:
- BASE_DIR: This column will contain the base directory extracted from the PATH.
The enhancement is applicable for both remote scans and Cloud Agents. The changes will need Cloud Agent 2.4 or later. The changes will be available by Mid-February 2022.