Hello Folks. This is an urgent requirement to use BigFix to query the below details, SO please help me how to write the query for that.
CyberSecurity has just alerted me to a 0-day vulnerability which is called SpringShell or Spring4Shell. FCyberSecurity has only recently begun to put together the components by which the vulnerability will exploit a given system or systems. However, we would like to fully understand the potential UNIX/Linux servers that could be exposed by this latest vulnerability (i.e., attack surface). As a result, could you please write a script OR utilize BigFix to query the UNIX and Linux servers for the below-installed components?
ā¢ Java 9 or greater
ā¢ spring-beans*.jar
Below are a few links that have been shared with me related to this vulnerability:
ā¢ SpringShell: Spring Core RCE 0-day Vulnerability - Cyber Kendra
ā¢ Spring4Shell: Security Analysis of the latest Java RCE ā0-dayā vulnerabilities in Spring | LunaSec
Could you please help me on this , that how to write the query or analysis to get the results.
Hereās a Task I created to detect where the Spring framework has been embedded in the WAR file.
We have the relevance targeting Linux hosts where Java process version is >=9
override wait
timeout_seconds=60
disposition=terminate
parameter "scriptFile" = "{parent folder of parent folder of client folder of current site}/detectSpring.sh"
delete "{parameter "scriptFile"}"
createfile until __end__
#!/bin/bash
test -d /var/opt/BESClient/ || mkdir -p /var/opt/BESClient/
for war in $(locate -b --regex '[.]war$'); do war_file=$(basename "$war"); echo $(file $war) | grep -qv ' directory' && mkdir -p /tmp/bigfix && cp "$war" /tmp/bigfix/ && cd /tmp/bigfix && unzip -qjun "$war_file" && if ls | egrep -q -e 'spring-beans-.*.jar' -e 'CachedIntrospectionResuLts.class'; then echo "$war"; fi; rm -rf /tmp/bigfix/*; done > /var/opt/BESClient/Spring.txt
exit 0
__end__
move __createfile "{parameter "scriptFile"}"
wait chmod 555 "{parameter "scriptFile"}"
wait /bin/bash "{parameter "scriptFile"}"
Blockquote
Property to read the output is -
if exists files "Spring.txt" of parent folders of parent folders of client folders of sites "actionsite" then unique values of (it as trimmed string) of (if exists property "locked lines" then locked lines of it else lines of it) of files "Spring.txt" of parent folders of parent folders of client folders of sites "actionsite" else "N/A"
I do like this method a lot, and it should provide a much faster scan for customers who have ālocateā installed & configured; I just donāt think I can depend on ālocateā being present for everyone.