Apache Log4j Installation File Detected

high Web App Scanning Plugin ID 113076

Language:

Synopsis

Apache Log4j Installation File Detected

Description

Apache Log4j is an open source Java-based logging framework leveraged within numerous Java applications. The scanner detected the presence of installation files referring to the usage of Apache Log4j.

Solution

Detected files require an immediate review to verify the presence of Apache Log4j and if it is affected by the critical vulnerability described in CVE-2021-44228. If confirmed, update Log4j to version 2.15.0 or later or apply the vendor suggested mitigations. Finally, ensure that proper restrictions are in place on the detected file, or remove it if not required.

See Also

https://logging.apache.org/log4j/2.x/

Plugin Details

Severity: High

ID: 113076

Type: remote

Family: Data Exposure

Published: 12/14/2021

Updated: 12/14/2021

Scan Template: api, basic, full, log4shell, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*

Reference Information

CWE: 425

OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A1

WASC: Predictable Resource Location

CAPEC: 127, 87

DISA STIG: APSC-DV-002560

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-6.5.8