Log4j vs DAST Tools – Who’s The First?

Summary

I've follow up application security tools build history to figure out which company took action against Log4j vulnerability first.

9 min read

Log4j vs DAST Tools

Log4j (CVE-2021-44228) is the latest news in the cybersphere, and It looks like we haven't seen it all yet.

 

First, it was reported by Chen Zhaojun from Alibaba Cloud Security Team on December 9. However, thanks to Cloudflare CEO Matthew Prince, now we know that there have been early tracks of Log4j exploitation since December 1.

 

Cloudflare Log4j

 

The issue is still hot, and every day new vulnerability reports are getting published about Log4j.

 

Now let's see which dast tools can detect Log4j at the moment and how fast they released an update for it?

 

– update released on December 10, 2021
– update released on December 11, 2021
– update released on December 11, 2021
– update released on December 11, 2021
From: Linus Kingfors
From: Linus Kingfors Detectify Product Manager
Read More
Detectify has had tests in our DAST tool, Application Scanning, since early morning December 11. In addition to that we've continued to add more security modules with different testing methods/payloads to verify if the bugs are exploitable. We test for both CVE-2021-44228: Log4Shell (log4j) RCE and CVE-2021-45046: Log4Shell (log4j) Bypass RCE. What's more interesting is that we've also added different kinds of testing in our EASM tool, Surface Monitoring which finds log4j vulnerabilities in different technologies such as Tableau, VMware, various apache software. We continually expand the coverage as we crowdsource the payloads from our Crowdsource hacker community.
– update released on December 13, 2021
– update released on December 14, 2021
– there are 2 extension released on December 16, 2021
– update released on December 17, 2021
– update released on December 17, 2021
– update released on December 22, 2021
– update released on Decanember 24, 2021
So…What Do You Think?

Now I want to hear from you.

 

What is your experience with your DAST tool to detect Log4j? 

 

Who’s The First?