Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


Assess Log4Shell Like an Attacker With Tenable’s Dynamic Detections

Defenders need to pull out all the stops when it comes to Log4Shell. Tenable provides dynamic remote Log4Shell vulnerability detections to incorporate the attacker’s perspective of your organization.

The Log4Shell vulnerability in Apache Log4j presents significant challenges for security teams. Tenable is now providing dynamic remote checks, local plugins and tactical scan templates to make it easy for security professionals to detect this internet-breaking vulnerability.

Not only does Log4Shell introduce new open-source and software supply-chain issues, but detecting Log4Shell requires the industry to think differently about how to discover this critical vulnerability. There are a number of techniques that vulnerability management providers use to assess targets for exposures. One common approach is using local checks to identify current software versions and enumerate vulnerabilities contained in outdated software. 

However, with distributed software systems like Java and its many open-source libraries, it’s difficult to find software libraries like Log4j embedded in enterprise applications. The result is that local checks that are simply querying for installed software often have many false negative results, leading to a false-sense of security in instances like Log4Shell. Security teams are simply not aware of all the instances where Log4j is used in their environment. Local checks must be used in conjunction with dynamic remote checks to cover a larger attack surface area. 

Enter: Dynamic Remote Checks

This is where a new approach to remote checks comes into play. Dynamic remote checks send pseudo-exploit code to a target with the aim of discovering vulnerabilities throughout the entire system. This is the same approach an attacker would use to exploit the vulnerability but better: dynamic remote checks are completely safe to run. This method provides direct evidence that a system or application is vulnerable and has no negative impact on your security posture, systems or service levels.. 

In addition to the accuracy advantage, these checks can be remotely operated: they don’t require agents or authenticated scans to identify the vulnerability that local checks rely on for deep insight and accuracy. Remote scans are preferred by security teams responding urgently to a headline security event and don’t have time to install software or search for credentials.

Using Dynamic Remote Checks for Log4Shell

Since December 10, Tenable Research has released a number of dynamic remote checks across multiple products to help detect Log4Shell. The way we have built these plugins follow these steps:

  1. Tenable scanners send out a request to a scan target using a benign payload containing a crafted JNDI script.
  2. The target, if vulnerable to Log4Shell, will act on the payload.
  3. Tenable tracks the target’s action on the payload using a couple of techniques tailored to work in different deployment environments.

Here’s the secret sauce: how we perform step three varies depending on whether customers have deployed on-premises scanners versus cloud scanners. For on-premises scanners we simply use the Lightweight Directory Access Protocol (LDAP) connection for the callback to the scanner. If the callback happens, the target is confirmed to be vulnerable. See figure 1 below for how this works in Plugin 155998

Figure 1

Figure 1

However, for cloud scanners we had to adjust tactics since they are outside of the firewall and external to the target. To address this issue, Tenable created a separate, secure, hosted environment in order to track the payload injection (and token) via DNS using default port 53. The scanner then performs a lookup against the Tenable controlled server to find the unique token that was sent in the initial request. If the token is there, the target is confirmed to be vulnerable. See figure two below for how this works in Plugin 156014. We have also expanded upon this approach in additional plugins to assess any open port and include SIP, SMTP, POP3, FTP, Telnet, IMAP and SSH.

Figure 2

Figure 2

To discover web apps vulnerable to Log4Shell, we used a similar approach as Plugin 156014 to support cloud scanners in Tenable.io Web App Scanning (WAS). The key difference is that this dynamic check injects a payload into numerous portions of the web application, including various inputs, HTTP headers, POST/GET values, XML, JSON and cookies. Just as we used a Tenable controlled server to find unique tokens of vulnerable targets, we do the same for vulnerable web apps in exactly the same way. See figure 3 below for how this works in Plugin 113075.

Figure 3

Figure 3

Best of Both Worlds

While dynamic remote checks are one of the most effective ways to minimize false negatives in the early days of Log4Shell, it is only part of the solution. You still need a combination of checks to gain full visibility into your Log4Shell exposures, especially as security advisories are issued by vendors impacted by vulnerable Log4j libraries. As always, using credentials to enable authenticated scans is essential for many static checks in order to gain “inside-out” visibility of the asset. 

Tenable has released a number of local checks supporting Log4Shell that cover both “generic” version detections that check RPM packages and search file system paths for vulnerable Log4j matches on the local system and “specific” version detections that support product specific vendor advisories that require security updates. 

This link provides the latest list of Tenable plugins available to help you identify Log4Shell and related vulnerabilities in your organization. In addition, this Tenable Community post provides additional supporting information about the plugins Tenable has released and how they work in more detail. 

Take Action Today with Tactical Scans

As the list of Log4j-related vulnerabilities are growing and as new Tenable plugins are quickly being developed, it can be overwhelming to keep track of all of the changes while you’re putting out Log4Shell fires internally. Thankfully, you don’t have to. Tenable has created several scan templates to make it easy to configure and run assessments looking for Log4Shell. 

For Nessus Professional, Tenable.sc and Tenable.io customers, we recommend using the Log4Shell Vulnerability Ecosystem scan, which will dynamically update automatically to include the latest vulnerability plugins as 3rd-party vendors patch their software. For Tenable.io Web App Scanning customers, please also use the preconfigured Log4Shell web app scan template. We recommend frequent rescanning at regular intervals to keep up-to-date and using credentials for local static checks.

We’re Here to Help!

To help you better defend against Log4Shell, we will be holding a series of live, how-to sessions in early January. These sessions will provide live product demos, recommended best practices and extended Q&A. We hope to see you there!

You can register here:

Finally, please check out the following product video tutorials on discovering Log4Shell to help you get the most value out of your investment with Tenable. 

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.