AppSec Santa
Contact

Log4j vs DAST Tools – Who’s The First?

Suphi Cankurt
Suphi Cankurt
Founder @ AppSec Santa
Summary

I've follow up application security tools build history to figure out which company took action against Log4j vulnerability first.

9 min read

Free Trial
Log4j vs DAST Tools

Log4j (CVE-2021-44228) is the latest news in the cybersphere, and It looks like we haven't seen it all yet.

 

First, it was reported by Chen Zhaojun from Alibaba Cloud Security Team on December 9. However, thanks to Cloudflare CEO Matthew Prince, now we know that there have been early tracks of Log4j exploitation since December 1.

 

Cloudflare Log4j

 

The issue is still hot, and every day new vulnerability reports are getting published about Log4j.

 

Now let's see which dast tools can detect Log4j at the moment and how fast they released an update for it?

 

– update released on December 10, 2021
Veracode Log4j
– update released on December 11, 2021
Qualys WAS Log4j
– update released on December 11, 2021
Tenable.io Log4j
– update released on December 11, 2021
Detectify Log4j
From: Linus Kingfors
From: Linus Kingfors Detectify Product Manager
Read More
Detectify has had tests in our DAST tool, Application Scanning, since early morning December 11. In addition to that we've continued to add more security modules with different testing methods/payloads to verify if the bugs are exploitable. We test for both CVE-2021-44228: Log4Shell (log4j) RCE and CVE-2021-45046: Log4Shell (log4j) Bypass RCE. What's more interesting is that we've also added different kinds of testing in our EASM tool, Surface Monitoring which finds log4j vulnerabilities in different technologies such as Tableau, VMware, various apache software. We continually expand the coverage as we crowdsource the payloads from our Crowdsource hacker community.
– update released on December 13, 2021
Acunetix Premium Log4j
– update released on December 14, 2021
Netsparker Standard Log4j
Netsparker Enterprise Log4j
– there are 2 extension released on December 16, 2021
Burp Suite Log4j
– update released on December 17, 2021
HCL AppScan Log4j
– update released on December 17, 2021
Syhunt Log4j
– update released on December 22, 2021
Rapid7 InsightAppSec Log4j
– update released on Decanember 24, 2021
Sentinel Dynamic Log4j
So…What Do You Think?

Now I want to hear from you.

 

What is your experience with your DAST tool to detect Log4j? 

 

Who’s The First?

2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Policy | Terms of Use 

appsecsanta.com is part of CNT Friends Oy registered in Finland. Company No: 2993839-3 | © 2019-2022. All rights reserved.