Support
Explanations

Detecting the Log4j vulnerability with Invicti

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Invicti can detect whether you have Java applications vulnerable to remote code execution attacks targeting the Log4j library.

  • Thousands of Java applications across the world are wide open to remote code execution attacks targeting the Log4j library.
  • A fix is already available, so the recommended course of action is to update to Log4j 2.17.0 (or newer) immediately.

For further information about Log4j, see Why Log4Shell could be the worst software vulnerability ever and Log4J FAQ.

To get the latest news and resources from Invicti on the Log4j crisis, visit Log4j vulnerability resource center.

To detect whether you have the Log4j library in your environment, you can utilize Invicti Enterprise and Invicti Standard. 

This tutorial provides a step-by-step guide on how to identify the Log4j vulnerability using Invicti Enterprise and Invicti Standard.

Detecting the Log4j vulnerability with Invicti Enterprise

To detect the Log4j vulnerability with Invicti Enterprise, follow these steps:

  1. Configure a scan policy for Log4j
  2. Scan your application with the scan policy created in the 1st step
  3. Review the scan result

Using internal agents? To access Invicti’s Hawk server – r87.me- to detect Out of band vulnerabilities, please allowlist the following ports on your agent server: TCP 80 and 443, UDP 53. 

Step 1. Configuring a scan policy for Log4j

You can configure a scan policy to run a security check to detect the Log4j vulnerability in your environment.

How to configure a scan policy for Log4j
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > New Scan Policy.
  3. From the New Scan Policy page, enter a name and a description for your new scan policy.
  1. From the Security Checks section, select Code Evaluation > Log4j Code Evaluation (Out of Band).
  1. From the Security Checks section, select the security check(s) you want.

Additional attacks to the headers may extend the scan’s duration.

  1. Select Save.

Step 2. Scanning your application with the custom scan policy

After you create a custom scan policy that includes the Log4j checks, you can now launch a scan to detect whether you are vulnerable to the Log4j attacks.

How to scan your application with the custom scan policy
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.

Before scanning your website in Invicti Enterprise, make sure you have added a website (Adding a website in Invicti Enterprise).

  1. In the Target URL field, enter the URL.
  2. From the Scan Policy, select your custom policy created in the 1st Step.
  1. Select Launch to scan.
How to run group scan with the custom scan policy
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Group Scan.
  3. From the New Website Group Scan page, select Website Group from the drop-down menu.
  1. From the Scan Policy drop-down, select your custom scan policy created in the 1st Step.
  2. Select Launch to scan.

Step 3. Reviewing scan result

When you launch the scan, Invicti Enterprise crawls and attacks your web application to identify the Log4j vulnerability.

Once Invicti completes the scanning, the application will send an email containing the link to the report. If you did not configure an email notification, you can log in to Invicti Enterprise and check your report.

How to access your scan report
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > Recent Scans.
  3. Next to the relevant scan, select Report.
  4. On the Scan Summary page, scroll down to the Technical Report section to view your scan report.

Detecting the Log4j vulnerability with Invicti Standard

To detect the Log4j with Invicti Standard, follow these steps:

  1. Update Invicti Standard to the newest version
  2. Configure a scan policy for Log4j
  3. Scan your application with the scan policy created in the 2nd step
  4. Review the scan result

Step 1. Updating Invicti Standard to the newest version

You need to update your Invicti Standard to the newest version, so Invicti Standard can detect the Log4j vulnerability in your application.

If you have Invicti Standard 6.2.1.33642 or newer versions, please skip the first step

Installing Invicti Standard for the first time? For further information, see Installing Invicti Standard. Downloading Invicti Standard with your Enterprise license? See Downloading Invicti Standard from Invicti Enterprise.

How to update Invicti Standard
  1. Open Invicti Standard.
  2. At the prompt, select Download & Install.

You can also manually check for updates. From the Help tab, select Check for Updates. This will check whether a new version of Invicti Standard has been released. (Alternatively, press CTRL+U.)

Invicti will download the update, and it will be applied as it restarts Invicti Standard.

Step 2. Configuring a scan policy for Log4j

With the newest version installed on your environment, you can now configure a scan policy to run a security check to detect the Log4j vulnerability in your environment.

How to configure scan policy for Log4j
  1. Open Invicti Standard
  2. From the main ribbon, select Home > Scan Policy Editor.
  1. Select New.
  2. Enter a name for your new scan policy. (Please note that this tutorial uses Log4j Policy as the custom scan policy name.)
  3. Select Security Checks.
  4. From the Security Check Groups section, double-click Code Evaluation, then select Log4j Code Evaluation (Out of Band).
  1. From the Security Checks section, select the security check(s) you want.

Additional attacks to the headers may extend the scan’s duration.

  1. Select Apply, then OK to close the Scan Policy Editor window.

Step 3. Scanning your application with the custom scan policy

After you created a custom scan policy to detect the Log4j vulnerability in your environment, you can run a scan.

How to scan your application to detect the Log4j vulnerability
  1. Open Invicti Standard.
  2. From the main ribbon, select New.
  3. From Start a New Website or Web Service Scan, enter your website. 
  1. From the Scan Policy drop-down, select your custom scan policy.
  2. Select Start Scan to launch the scan.

Invicti Standard starts scanning your web application to detect whether there is Log4j vulnerability in your environment.

Step 4. Reviewing scan result

When Invicti completes the scan, you can see the result in the Issues and Sitemap panels. The Issues panel lists all detected vulnerabilities and other issues.