-1

I am trying to check the log4j vulnerability in GeoServer, On before and after updating the old log4j package to the new package which resolves the issue. For that, I am using the Zap tool for checking the vulnerability, where I found that active scan rule alpha. This rule attempts to discover the Log4Shell (CVE-2021-44228) vulnerability. checkout this link for more information https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-alpha/. And also I am little confused about how to execute this active scan rule alpha. please share some information about its execution. My question is whether this is the right way to check this log4j vulnerability in GeoServer? or is there are any other ways for this?

Rajasirpi
  • 1
  • 3
  • Does this answer your question? [Geoserver - Replacing log4j 1.2.17 with 2.15.0?](https://stackoverflow.com/questions/70325735/geoserver-replacing-log4j-1-2-17-with-2-15-0) – Ian Turton Dec 15 '21 at 08:31

1 Answers1

0

You need to enable an OAST service (via Options / OAST) first. You can either use one of the public ones we have pre-configured or stand up your own instance. We also recommend that you scan headers as well as this vulnerability often is exposed by them.

For more details see this blog post :) https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/30591850) – Robert Dec 15 '21 at 15:55
  • We dont delete blog posts or change links :) But I can add a bit more without trying to reproduce the whole blog post... – Simon Bennetts Dec 15 '21 at 16:12
  • :) More details added – Simon Bennetts Dec 15 '21 at 16:15