search

greenbone / openvas-scanner

This repository contains the scanner component for Greenbone Community Edition.
https://greenbone.github.io/docs/
GNU General Public License v2.0
3.38k stars 623 forks source link

Log4j Http active report False Positives #1531

Closed sed-ats closed 9 months ago

sed-ats commented 11 months ago

Actual behavior

I updated the scanner from version 22.7.3 to version 22.7.9

and began to receive a huge number of false positive alerts

Apache Log4j 2.0.x Multiple Vulnerabilities (TCP, Log4Shell) - Active Check Apache Log4j 2.0.x Multiple Vulnerabilities (UDP, Log4Shell) - Active Check Apache Log4j 2.0.x Multiple Vulnerabilities (HTTP Web Root, Log4Shell) - Active Check

GVM versions

gsa: 22.08.0

gvm: 23.1.0

openvas: 22.7.9

gvm-libs: 22.7.3

openvas-smb: 22.5.6

ospd-openvas: 22.6.2

Environment

Operating system: Ubuntu 22.04.3 LTS

Installation method: source installation

cfi-gb commented 11 months ago

Note for the scanner team: The user has been redirected from https://forum.greenbone.net/t/log4j-http-active-report-false-positives-time-to-time/11496/5 to this issue tracker as no changes on VT side has been done to these since many months.

I updated the scanner from version 22.7.3 to version 22.7.9 and began to receive a huge number of false positive alerts

Not sure but if this only happened after an update one of these changes:

https://github.com/greenbone/openvas-scanner/compare/v22.7.3...v22.7.9

or some updates done via other components like in ospd-openvas or gvm-libs might have introduced some regression in the PCAP handling or similar?

jjnicola commented 11 months ago

Hello @sed-ats Is this a Windows target?

sed-ats commented 11 months ago

Hello @sed-ats Is this a Windows target?

I didn't see any pattern for example, on Windows it sometimes detects Apache Log4j 2.0.x Multiple Vulnerabilities (TCP, Log4Shell) - on 49668/tcp, 49666/tcp, 49674/tcp, 445/tcp port

on MacOS and Linux(Ubuntu) it seems like it’s random

port 7000/tcp was opened on the MacBook and also Apache Log4j 2.0.x Multiple Vulnerabilities (HTTP Web Root, Log4Shell)

on Linux on 80/tcp 67/udp 8200/tcp port Apache Log4j 2.0.x Multiple Vulnerabilities (HTTP Web Root, Log4Shell) Apache Log4j 2.0.x Multiple Vulnerabilities (TCP, Log4Shell) Apache Log4j 2.0.x Multiple Vulnerabilities (UDP, Log4Shell)

sed-ats commented 9 months ago

Hello everyone, I'm closing the task because I found a problem and it was on the server side. the problem was incorrect limits in /etc/security/limits.conf

jjnicola commented 9 months ago

@sed-ats thanks a lot for notifying Best regards