Log4j vs DAST Tools – Who’s The First?

Suphi Cankurt

Founder @ AppSec Santa

Summary

I've follow up application security tools build history to figure out which company took action against Log4j vulnerability first.

9 min read

Log4j (CVE-2021-44228) is the latest news in the cybersphere, and It looks like we haven't seen it all yet.

First, it was reported by Chen Zhaojun from Alibaba Cloud Security Team on December 9. However, thanks to Cloudflare CEO Matthew Prince, now we know that there have been early tracks of Log4j exploitation since December 1.

The issue is still hot, and every day new vulnerability reports are getting published about Log4j.

Now let's see which dast tools can detect Log4j at the moment and how fast they released an update for it?

Veracode

– update released on December 10, 2021

Qualys

– update released on December 11, 2021

Tenable.io

– update released on December 11, 2021

Detectify

– update released on December 11, 2021

Detectify has had tests in our DAST tool, Application Scanning, since early morning December 11. In addition to that we've continued to add more security modules with different testing methods/payloads to verify if the bugs are exploitable. We test for both CVE-2021-44228: Log4Shell (log4j) RCE and CVE-2021-45046: Log4Shell (log4j) Bypass RCE. What's more interesting is that we've also added different kinds of testing in our EASM tool, Surface Monitoring which finds log4j vulnerabilities in different technologies such as Tableau, VMware, various apache software. We continually expand the coverage as we crowdsource the payloads from our Crowdsource hacker community.

Now I want to hear from you.

What is your experience with your DAST tool to detect Log4j?

And if you still don't have a DAST tool yet, you can start with a Free Trial.

2 Comments

Show all Most Helpful Highest Rating Lowest Rating Add your review

Reply
Amal Dec 23, 2021 at 5:58 pm

VERY GOOD POST
- Reply
  Suphi Cankurt Dec 23, 2021 at 6:05 pm
  
  thanks, Amal. I will keep updating the list with the additional info coming from vendors.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Log4j vs DAST Tools – Who’s The First?

Veracode

Qualys

Tenable.io

Detectify

Acunetix

Invicti

Burp Suite

HCL AppScan

Syhunt Dynamic

InsightAppSec

Sentinel Dynamic

Leave a reply Cancel reply