• Home
  • |
  • Blog
  • |
  • How To Identify Log4j Vulnerable Assets In Nessus?
How to Identify Log4j Vulnerable Assets in Nessus

Well, if you take 5 minutes of time to check the Log4j vulnerabilities on a single system, it takes several weeks for you to check the log4j vulnerability for the whole network. It may sound impractical to validate each asset manually. It’s a troublesome task. It may eat most of your computational and human resources. If you are in such a problem, you should look at vulnerability scanner tools like Nessus, which would help you reduce time and resources dramatically. Let’s see how to identify Log4j vulnerable assets in Nessus.

About Log4j Vulnerability

The vulnerability lice in when the Log4j2 library is able to receive variable data from the LDAP and JNDI lookup and execute it without verification. This resulted in an open threat that could be used to send the malicious payload by crafting a malicious request. This vulnerability is also named as Log4Shell and Log4Jam.

  1. A Critical 0-day Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library (CVE-2021-44228) allows attackers to carry out unauthenticated, remote code execution attacks.
  2. A new vulnerability (CVE-2021-45046) Log4j library allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern.
  3. CVE-2021-45105 was discovered as the third vulnerability within the month that allows attackers to perform Denial of Service due to infinite recursion in lookup evaluation.
  4. Now the latest discloser is that the Log4j is affected by CVE-2021-44832- A Remote Code Execution Vulnerability which is fixed in v2.17.1.
vulnerabilityCVSSDescriptionFixed In
CVE-2021-4422810.0 CriticalUnauthenticated Remote Code Execution vulnerability in Log4j Logging Library2.15.0
CVE-2021-450463.7 LowDenial of Service vulnerability in Log4j Logging Library2.16.0
CVE-2021-451057.5 HighDenial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation2.17.0
CVE-2021-448326.6 MediumRCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI.2.17.1

Identify The Log4j Vulnerable Assets In Nessus

Log4j needs to be part of a running application or service that’s exposed to the internet or internal network to exploit the vulnerabilities. So the target systems should be connected to the network to scan for Log4j vulnerabilities from Nessus.

To identify Log4j Vulnerable assets In Nessus, you first need to detect which devices have Log4j installed and running as active service. This can be achieved by scanning your applications with your vulnerability scanner and identifying any internet-facing devices running Log4j.

How To configure Log4j template In Nessus?

To perform a vulnerability scan for Log4shell in Nessus Scanner, you need to configure the template to scan only the Apache Log4j and Apache Log4Shell related vulnerabilities. You can configure the Log4j vulnerabilities scan template in two ways.

  1. Advanced Scan Template
  2. Advanced Dynamic Scan Template

Advanced Scan Template

Before configuring the Advanced Scan template, we suggest you create a policy. The policy will use the predefined template for detecting known vulnerability

  1. Creating A Policy

    After logging into the Nessus Scanner on the homepage, you will find the policies under the resources tab. Click on the New Policy to start the configuration. Policies in Nessus

  2. Select Advanced Scan Template

    Select the Advanced Scan template from the predefined templates and configure the settings.Advanced Scan in Nessus

  3. Enable Log4j Vulnerabilities Plugins 

    Go to the Plugins tab and enable only the plugins related to the Log4j vulnerability. Please find the list of the Log4j Nessus plugins related to the Log4j vulnerability.
    Add Log4j Plugins in Nessus

  4. Initiate Network Scan Using The Template

    After configuring the policy, click on save and start a new scan using the user-defined template (New policy template using the advanced scan).Select Scan Templete In Nessus

  5. Advanced Scan Template
    Select Advanced Dynamic Scan Template

    Preparation of the template using this method remains the same as creating a policy, but with one exception. While creating a policy, select the Advance Dynamic Scan template and configure the settings.Advanced Dynamic Plugin in Nessus

  6. Select Log4j Dynamic Plugins And The Save Policy

    Go to the Dynamic Plugins and configure plugin name containing Apache Log4Shell and Apache Log4j with the parameter as Match any of the following. Once done, test by preview plugins. Finally, save the policy.Add Dynamic Log4j Plugin in Nessus

  7. Initiate Network Scan Using The Template

    Once the policy is created, perform a scan using the user-defined template and select the advanced dynamic scan policy.Run the Log4j Scan in Nessus

See Also  How to Patch a Critical XSS Vulnerability in Zimbra Collaboration Suite?

Based on the report from the Nessus, you can identify Log4j Vulnerable Assets with Log4j library version with path. As Log4j is a critical vulnerability, immediately share the report with respective asset owner teams to get it fixed soon.

We hope this post would help you know How to Identify Log4j Vulnerable Assets in Nessus. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.     

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.