Log4j Scanner by CISA Has Been Released to Look for Security Vulnerabilities, Flaws from Apps

Log4j scanner by CISA or the Cybersecurity and Infrastructure Security Agency of the United States has been released to the public, which helps them hunt down the security vulnerabilities and flaws from web services.

Corsair Keyboard K100 Bug Types Words Users Previously Use
BERLIN, GERMANY - JANUARY 25: In this photo illustration a young man types on an illuminated computer keyboard typically favored by computer coders on January 25, 2021 in Berlin, Germany. by Sean Gallup/Getty Images

Log4j Scanner by CISA

The scanner specifically looks for the critical vulnerabilities from the two Apache Log4j remote code executions, such as the CVE-2021-45046 and the CVE-2021-44228, as per the news story by Bleeping Computer.

The Rapid Action Force Team of the cybersecurity agency of the US helped develop the said Log4j scanner.

CISA further said in a statement that the "log4j scanner is a project derived from other members of the open-source community" that was created by its Rapid Action Force or RAF team.

It is worth noting that CISA specifically organized RAF to find the existing vulnerabilities found on the web services of the affected users of Apache's Log4j logging system.

The project page of CISA's log4j-scanner disclosed some of the features that its users should expect, including fuzzing for HTTP POST Data parameters, JSON data parameters, and over 60 HTTP request headers.

On top of that, the scanner for the massive security flaw also provides a list of URLs with the Log4j bug.

Not to mention that it also includes support for the DNS callback for both validation and discovery of the security flaw.

Log4j Scanner

Bleeping Computer noted in the same report that the scanning tool that CISA released is based on another similar solution that the cybersecurity company that goes by the name FullHunt developed.

What's more, the said automated scanning framework hunts down any CVE-2021-44228 security flaw, which is also known as the Log4Shell malware vulnerability.

Log4J and CISA

According to the report by Dark Reading, the Secretary of the US Homeland Security, Alejandro Mayorkas, announced on his Twitter account that the Log4j security flaw will be included in its bug bounty program that goes by the name "Hack DHS."

The Homeland secretary added that the program that was announced last Dec. 15 will be giving incentives to those who could hunt and patch any Log4j flaws from the system of Homeland Security.

It is worth noting that the Department of Homeland Security or DHS is the parent agency of CISA after it succeeded the National Protection and Programs Directorate back in 2018.

This article is owned by Tech Times

Written by Teejay Boris

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:Log4j
Join the Discussion
Real Time Analytics