As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Use ThreadFix to Help Identify Log4j in Your Environment

ThreadFix Log4j Vulnerability Response

Coalfire continues to research the Log4j CVE logged on December 10 (CVE-2021-44228). Our investigations still show that ThreadFix is not susceptible to log4shell or the subsequent exploit CVE-2021-45046.

However, given that we have already moved away from Log4j to an alternate logging framework for ThreadFix 3.1, we have decided to take extra precautions and replace Log4j for our clients still using ThreadFix 2.8, even though it does not include the impacted class.

January 10th, 2022 Update

ThreadFix version 2.8.5.1 contains updates addressing the log4j vulnerability. Please note the download file and release notes below:

 

Once you’ve imported your most recent scans, ThreadFix can help identify Log4j in your environment.

Choose from one of the following methods to search for Log4j:

Search ThreadFix for Log4j Dependencies

The most thorough way to look across your entire portfolio for any Log4j dependencies is to perform a vulnerability search.

Step 1: Go to the Analytics section, Vulnerability Search tab.

This page shows you all known vulnerabilities across your scanned applications, sorted by severity first and by issue type (typically CWE) second. In order to best identify where you may have Log4j in use change the pivots within the Filters section.

Step 2: Set the Filters.

  • Select Dependency from the Primary Pivot menu.

  • Select Severity from the Secondary Pivot menu.

  • To filter further in the Vulnerability Detail group, select Critical or High under Severity and select Dependency under Analysis Type.

  • Click Apply.

    • All instances with the applied filters will be displayed in Results.

Step 3: Locate Log4j components.

Visually scan for Log4j instances or perform a “find” using CTRL+F (CMD+F on MAC) on “log4j.”

Step 4: Expand each Log4j component to see which applications are susceptible.

The results displayed are contingent upon your scanners.

Search ThreadFix for CVEs

Another method of locating Log4j, is to identify the specific CVE value for this issue (for example: CVE-2021-44228).

Step 1: Go to the Analytics section, Vulnerability Search tab.

Step 2: Set the Filters.

  • From Filters, expand Vulnerability Detail.

  • Enter the CVE Value to search, then click Apply.

    • If ThreadFix contains the searched CVE value, all instances will be displayed in Results.

Step 3: Expand each Log4j component to see which applications are susceptible.

The results displayed are contingent upon your most recent scans. CVE’s listed in dropdown show only CVE’s that have been reported to ThreadFix through a scan result.

 

If you have any questions, please contact support at support@threadfix.it.

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.