Log4j vs DAST Tools – Who’s The First?

Suphi Cankurt

Founder @ AppSec Santa

Summary

I've follow up application security tools build history to figure out which company took action against Log4j vulnerability first.

9 min read

Log4j (CVE-2021-44228) is the latest news in the cybersphere, and It looks like we haven't seen it all yet.

First, it was reported by Chen Zhaojun from Alibaba Cloud Security Team on December 9. However, thanks to Cloudflare CEO Matthew Prince, now we know that there have been early tracks of Log4j exploitation since December 1.

The issue is still hot, and every day new vulnerability reports are getting published about Log4j.

Now let's see which dast tools can detect Log4j at the moment and how fast they released an update for it?

Veracode

– update released on December 10, 2021

Qualys

– update released on December 11, 2021

Tenable.io

– update released on December 11, 2021

Detectify

– update released on December 11, 2021

Detectify has had tests in our DAST tool, Application Scanning, since early morning December 11. In addition to that we've continued to add more security modules with different testing methods/payloads to verify if the bugs are exploitable. We test for both CVE-2021-44228: Log4Shell (log4j) RCE and CVE-2021-45046: Log4Shell (log4j) Bypass RCE. What's more interesting is that we've also added different kinds of testing in our EASM tool, Surface Monitoring which finds log4j vulnerabilities in different technologies such as Tableau, VMware, various apache software. We continually expand the coverage as we crowdsource the payloads from our Crowdsource hacker community.