Upcoming Enhancements to Log4j 1.2 QID 376187

Himanshu Kathpal

Qualys is working on enhancing the Linux detection for Log4j 1.2 QID 376187 and further improving the reporting of the QID to provide more comprehensive information. The changes will include the following improvements:

  1. The Linux Detection will check for JMSAppender class status, i.e., if the class file is present inside the log4j jar or not. This will help in filtering out instances that have the mitigation applied i.e., deleting the JMSAppender class.
  2. The QID on Linux will have enhanced reporting. Refer to the screenshots below:

Current Reporting

Enhanced Reporting

The results will contain four columns:

  • PATH: This column will contain the full path to the log4j-core jar
  • VERSION: This column will contain the version extracted from the log4j-core jar file
  • JMS CLASS STATUS: This column will contain information regarding JNDI lookup class status and would have the following value:
    • JMSAppender_CLASS_FOUND
    • JMSAppender_CLASS_NOT_FOUND
    • JMSAppender_CLASS_STATUS_UNKNOWN
  • BASE_DIR: This column will contain the base directory extracted from the PATH.

The enhancement is applicable for both remote scans and Cloud Agents. The changes will need Cloud Agent 2.4 or later. The changes will be available by Mid-February 2022.

Show Comments (2)

Comments

Your email address will not be published.

  1. Does anyone know why QID: 376187 now showing Confirmed on some Window’s systems. There is no mention of enhanced reporting for Windows systems, so I would like to understand why Log4j v1.2 detections have changed from Potential to Confirmed (absent JMSAppender config detection logic).