We've created a new tool to help Corvus policyholders uncover any vulnerable instances of Log4j. Here's an FAQ.
We are no longer offering the Log4j Vulnerability scan. We've achieved universal updates among our policyholder base.
Who is this for?
All Smart Cyber Insurance and Smart Tech E&O policyholders are eligible to request a free Log4j Vulnerability Scan from Corvus. Scans can be requested by filling out a brief form.
What is the Log4J vulnerability?
The Log4j utility is commonly included in Java based third party software and multiple Apache web frameworks. The initial reported vulnerability allows unauthenticated users to execute malicious commands on systems. The vulnerability impacts a large number of applications. It can impact both Internet facing systems and possibly internal systems depending on the setup of the system. Working exploit code is publicly available and threat actors are actively scanning and exploiting systems. See our Alert about Log4j for more information.
How will Corvus scan for log4j vulnerabilities?
To detect potential log4j vulnerabilities, Corvus will run a remote-based scan by attempting to inject non-malicious code via web requests to the policyholder's IP addresses. If Corvus is able to successfully inject the non-malicious code, the policyholder’s system will ping a Corvus hosted cloud server, indicating the presence of a potential Log4j vulnerability. Policyholders will be able to see these requests as corvus-log4scan.com as to make it clear we are attempting the test.
If no ping is received back on the server, it means we were unable to detect a Log4j vulnerability on this external facing environment. Policyholders are encouraged to run Log4j scans on their local environments to fully protect themselves from other potential Log4j vulnerabilities. We recommend using the CrowdStrike Archive Scan Tool to perform a scan of your internal systems, for the most holistic view of your assets.
What if there is a detected vulnerability?
If a vulnerability is detected, the Corvus Risk + Response team will inform the policyholder and provide guidance or third-party vendor recommendations.
The Risk + Response team will also inform the policyholder if no Log4j vulnerability is detected by the scan.
Are there any policy or rating impacts?
Use of this tool will not cause any changes to coverage or rating for your current policy term. Corvus reserves the right to utilize such results or participation in the scan during the underwriting of any new business or renewal policies.
Are there additional steps after completing the scan and receiving guidance from Corvus?
Regardless of the outcome of the scan, we are recommending that all policyholders use the CrowdStrike Archive Scan Tool (CAST), which performs a local scan of internal systems to look for applications running versions of Log4j. Using both Corvus’s Log4j Vulnerability Scan and CAST will provide you with a holistic inspection of IT assets