Upcoming Changes to Log4j Scan Utility QIDs
Last updated on: April 19, 2022
Update (04/19/2022): In addition to the Scan Utility QIDs on Windows, Qualys will also modify the JNDI_CLASS_STATUS column on Scan Utility QIDs on Linux. An instance will have the status as “JNDI CLASS FOUND” when JNDI Lookup class was found and have status as “JNDI CLASS NOT FOUND” when the class is missing.
Qualys is working on updating detection for Log4j scan utility QIDs 45515, 376160, 376193, 376195 and 376210 on Linux and Windows.
Linux Authenticated Checks:
Currently, the QIDs on Linux/Unix report only when a successful scan is identified by checking the scan run status in the file log4j_findings.stderr.
Qualys will modify this current behavior and report these QIDs (376160, 376193, 376195 and 376210) as long as there is scan data in the log4j_findings.stdout file about vulnerable instances and will ignore scan status in log4j_findings.stderr. This will help customers discover vulnerable instances if the utility script in subsequent runs was stopped abruptly or the scan utility failed to write scan status correctly in log4j_findings.stderr.
Windows Authenticated Checks:
The results section for scan utility QIDs will be updated to make it consistent with the Linux Auth QIDs. The JNDI_CLASS_STATUS column will be updated, an instance will have the status as “JNDI CLASS FOUND” when JNDI Lookup class was found and have status as “JNDI CLASS NOT FOUND” when the class is missing. Please refer to the screenshots below for details:
The changes will be released on 04/28/2022.
When will these changes be available for the out-of-band scanner?
https://github.com/Qualys/log4jscanwin
Thank you