The US government’s top security agency has published a new scanning tool to help organizations find unpatched Log4j instances in their IT environment.
The Cybersecurity and Infrastructure Security Agency (CISA) posted the Log4j Scanner to GitHub yesterday. It claimed it’s a “project derived from other members of the open-source community” and designed to help find vulnerable web services impacted by the two flaws in the popular logging tool.
“This repository provides a scanning solution for the log4j remote code execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046),” CISA said. “The information and code in this repository is provided ‘as is’ and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.”
Cybersecurity firm FullHunt was name-checked in the release.
Log4j was patched earlier this month but exploits appeared soon after. The initial CVE-2021-44228 bug, dubbed “Log4Shell” was given a CVSS score of 10.0.
It’s deemed particularly dangerous as Log4j is found in numerous third-party software from iCloud to Minecraft. In some cases, it can be exploited relatively easily to achieve RCE for ransomware, cryptojacking, data theft, and more. All Log4j instances may be difficult to find given the complex Java dependencies operating in many enterprise environments.
As a result, some experts have said the threat could persist for years.
A second denial of service flaw (CVE-2021-45046) was found days later, although it has a lower CVSS score of 7.5.
CISA said the scanning tool would only help security teams “look for a limited set of currently known vulnerabilities in assets owned by their organization.” It warned that there may be “as yet unknown” ways for threat actors to leverage the vulnerabilities and said it is continuing to monitor community chatter to ensure its advice is current.