As Log4j vulnerability continues to haunt the internet world, more bug scanners have surfaced online to help prevent real-time exploits. Recently, the US CISA and CrowdStrike have also separately released Log4j vulnerability scanners for free.
US CISA, CrowdStrike Log4j Scanners
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently released a free Log4j scanning tool. As announced from its official Twitter account, US CISA intends to help organizations proactively detect and address Log4j vulnerabilities with this open-source scanner.
We published an open-sourced log4j-scanner derived from scanners created by other members of the open-source community. This tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities: https://t.co/af8uszW8K4
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 21, 2021
Regarding the scanning tool available on GitHub, CISA explained,
The information and code in this repository is provided “as is” and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community.
Likewise, CrowdStrike has also released a Log4j vulnerability scanner to help the cybersecurity community. They have also put up their tool as open-source on GitHub.
Identifying this tool as CAST (CrowdStrike Archive Scan Tool), the firm explained that this tool could scan different directories for vulnerable Log4j versions.
Elaborating on this tool in a blog post, CrowdStrike stated,
The free CrowdStrike tool (dubbed the CrowdStrike Archive Scan Tool, or “CAST”) performs a targeted search by scanning a given set of directories for JAR, WAR, ZIP and EAR files, and then it performs a deeper scan on those file types matching against a known set of checksums for Log4j libraries…
CAST searches for approximately 6,500 SHA256 checksums unique to the known vulnerable releases. It will walk the files or directories scanning inside of ZIP-format archives to find every instance of these.
The firm believes that this tool will facilitate organizations to scan their systems as it supports multi-platform compatibility. Specifically, CAST works on Windows, macOS, and Linux alike.
Before these scanners, Google also added Log4j detection functionality in its OSS-Fuzz tool.
Hence, users now have multiple ways to detect vulnerable Log4j instances affecting their systems. Also, users must ensure updating to Log4j version 2.17.0 at the earliest to receive the patch against the devastating Log4Shell vulnerability.