Log4j mitigation

• Previous message (by thread): Log4j mitigation
• Next message (by thread): Log4j mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2021-12-13 at 17:07 +0200, Hank Nussbacher wrote:
> Scan your systems:
> https://github.com/logpresso/CVE-2021-44228-Scanner
> https://github.com/fullhunt/log4j-scan

This is possibly a weird question, but has anyone set up a known-
vulnerable system? To test especially the second of those scanners?

Alternatively, can anyone here vouch for the tool (i.e., you've done an
A/B test on a site with the vulnerability present and again on the same
system with the vulnerability mitigated, and the tool got it right in
both cases)?

I have plenty of known-INvulnerable systems :-)

The thing is I have a few systems that I would have thought were
vulnerable but the second tool above reports them as not being
vulnerable. Making me slightly doubt the efficacy of the tool. I this
situation, I'd like to know for a fact that it will detect this
vulnerability.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

• Previous message (by thread): Log4j mitigation
• Next message (by thread): Log4j mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]