The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2842 advisory.

  - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect     against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log     messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup     substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous     releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to     true or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the     classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
    (CVE-2021-44228)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host appears to be running SIP. SIP itself is not vulnerable to Log4Shell; however, the SIP application could potentially be affected if it attempts to log packet data via a vulnerable log4j library.

A negative result from this plugin does not prove conclusively that the remote system is not affected by Log4Shell, only that any scripts the SIP proxy may be running do not create the conditions that are exploitable via the Log4Shell flaw.

The remote web server is affected by a remote code execution vulnerability via a flaw in the Apache Log4j library. The vulnerability is due to the processing of unsanitized input sent to a logging function. A remote, unauthenticated attacker can explolit this, via a web request to execute arbitrary code with the permission level of the running Java process.

The remote Debian 10 / 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5020 advisory.

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. (CVE-2020-9488)

  - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect     against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log     messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup     substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous     releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to     true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar     org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see     https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code     execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and     com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request to execute arbitrary code with the permission level of the running Java process.

This plugin requires that both the scanner and target machine have internet access.

Apache Log4j is an open source Java-based logging framework leveraged within numerous Java applications. Apache Log4j versions 2.0-beta9 to 2.15.0 suffer from insufficient protections on message lookup substitutions when dealing with user controlled input. By crafting a malicious string, an attacker could leverage this issue to achieve a remote code execution on the Log4j instance used by the target application.

The version of Apache Log4j on the remote host is 2.x < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JNDI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. 

Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. 

Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request to execute arbitrary code with the permission level of the running Java process.

The plugin relies on callbacks from the target being scanned and hence any firewall rules or interaction with other security devices will affect the efficacy of the plugin. The plugin will also not yield results on Tenable.io and customers are encouraged to use plugin IDs 155999, 156000, 156001, and 156002 instead when scanning with Tenable.io. We continue to explore options for additional detection.

This plugin will have the scanner listen for the callback on a random port in the 50000 to 60000 range.

ID	Name	Product	Family	Published	Updated	Severity
156018	Debian DLA-2842-1 : apache-log4j2 - LTS security update	Nessus	Debian Local Security Checks	12/13/2021	2/17/2023	critical
156017	SIP Script Remote Command Execution via log4shell	Nessus	General	12/12/2021	3/19/2024	critical
156016	Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP)	Nessus	CGI abuses	12/12/2021	3/19/2024	critical
156015	Debian DSA-5020-1 : apache-log4j2 - security update	Nessus	Debian Local Security Checks	12/12/2021	2/17/2023	critical
156014	Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP)	Nessus	Web Servers	12/11/2021	3/19/2024	critical
113075	Apache Log4j Remote Code Execution (Log4Shell)	Web App Scanning	Component Vulnerability	12/11/2021	3/6/2024	critical
156002	Apache Log4j < 2.15.0 Remote Code Execution (Windows)	Nessus	Misc.	12/10/2021	10/27/2023	critical
155999	Apache Log4j < 2.15.0 Remote Code Execution (Nix)	Nessus	Misc.	12/10/2021	2/17/2023	critical
155998	Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check)	Nessus	Web Servers	12/10/2021	3/19/2024	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical