Hi,
Does the BigFix Team, have any official/unofficial content for the following vulnerability?
Not yet. Iâm beginning to look into it. First impression is that it could be fairly widespread, but not nearly as easy to exploit or as likely to be vulnerable in actual application code as Log4j was.
I have a very basic set of scans and analysis for this on my GitHub page now at https://github.com/Jwalker107/BigFix/tree/master/Test%20Content/Apache%20commons-text if youâd like to give it a test.
These scans are very similar to the Spring Framework scans I published a few months ago. These scan the entire hard drive, searching for the commons-text-*.jar files whether they are standalone files, or embedded in .WAR archives.
There is no throttling of Processor or Disk I/O on these scans. Test with care, especially when scanning multiple endpoints to avoid overwhelming shared infrastructure in virtualization or shared-storage enviroments.
While these scans do attempt to avoid traversing network filesystems, I have only limited resources for testing and may not be able to account for every filesystem type, especially on Linux/UNIX platforms. To detect local filesystems on Linux the script is executing
df -l --output=target -x tmpfs -x devtmpfs | sed 1d
The output should list local filesystems. If network filesystems are listed, those will be scanned and we may need to improve the command to exclude your network filesystem types. I think this scan will be reused as a template as other library vulnerabilities are discovered, so I welcome any improvement to this command.
Once the filesystems are discovered, the âfindâ command is used to perform the scan, and uses the â-xdevâ parameter to avoid traversing mountpoints outside of each scanned filesystem.
So I ran the scan on some windows and some linux systems. I setup the analysis but only the windows machines are showing up in the analysis. None of the linux systems I scanned show up even though the scan came back successful.
Can you check whether the Linux systems created the two output files âapache-commons-text.logâ and âapache-commons-text.txtâ in the /var/opt/BESClient/Scans directory?
If the .txt file was not created, does the .log file have any useful error messages in it?
[root@cent-1 Scans]# pwd
/var/opt/BESClient/Scans
[root@cent-1 Scans]# ls
apache-commons-text.log grails-databinding-scan-output.txt Spring-scan-output.txt
apache-commons-text.txt grails-databinding-scan.txt Spring-scan.txt
I will have to get a hold of one of the system admins responsible. it may take some time. We also had another major incident come up and have been trying to clean that up, so we are all busy. I will see what I can do to get it today.
so far the only Linux admin that has access is on vacation. I will keep trying
I tried the linux scan as well, I think there is an error in the script, there is only 1 file created and the content is: ./run_scan.sh: 5: Syntax error: â(â unexpected
Thanks
Thank you, I will look into this shortly. Just wanted to acknowledge Iâve seen the responses and appreciate them.
Itâs working correctly, at least on my CentOS and RHEL machines. Could you either post or private-message me with the areas from the log that are giving the error? Was that â(â unexpected the only line?
I donât see any likely spot for the error yet. It could be a shell compatibility of some kind? Under what OS are you seeing this?
I just made a small change to the Linux scan on github. Itâs not functionally different, and I donât expect it to correct the problem youâre seeing, but I enable tracing with the âset -o xtraceâ command in the run_scan.sh script; that should trigger more verbose output in the .log file.
Iâm also assuming sh / bash-like behavior from the shell (which is why I ask about the operating system). I think even Ubuntuâs dash shell should behave this way (when invoked as /bin/sh anywayâŚ).
Thanks, that helps. On what operating system are you seeing this behavior?
Ubuntu 20.04, Iâve attached pictures on previous post:slight_smile:
Thanks very much, that helpsâŚa lot.
Iâve built an Ubuntu 22.04 systemâŚand then I lost some time assuming my shell was dash, but my user shell was explicitly /bin/bash instead of /bin/shâŚbut Iâm all caught up now.
The âdashâ shell is much stricter in terms of POSIX compliance and doesnât support some of the statements I was using, that required Bash extensions. Iâd rather not have to rely on /bin/bash being present, it seems safer to use only POSIX-compliant statementsâŚwith that in mind, Iâve refactored the script and updated it at Github. Please give this version a try and see whether you get better results. This new version is working on CentOS and Ubuntu.
The main change was how the function is defined and how the string comparisons are made.
Original:
function handle_file() {{
echo Handling $1
if [[ $1 == *\.war || $1 == *\.WAR || $1 == *\.zip || $1 == *\.ZIP || $1 == *\.ear || $1 == *\.EAR ]]
then
echo "${{1} is an archive, searing content via unzip";
for embeddedfile in `unzip -Z -1 "$1" *commons-text-*.jar -x *-sources.jar *-javadoc.jar *-tests.jar`
do
echo ${{1}::${{embeddedfile}>>${{OUTPUT_FILE}
done
else
echo ${{1}>>${{OUTPUT_FILE}
fi
}
New version:
handle_file() {{
echo Handling $1
case $1 in
*.war|*.zip|*.ear|*.WAR|*.ZIP|*.EAR)
echo "${{1} is an archive, searching content via unzip";
for embeddedfile in `unzip -Z -1 "$1" *commons-text-*.jar -x *-sources.jar *-javadoc.jar *-tests.jar`
do
echo ${{1}::${{embeddedfile}>>${{OUTPUT_FILE}
done
;;
*)
echo ${{1}>>${{OUTPUT_FILE}
;;
esac
}@D.Dean were your failing systems also Ubuntu? Can you try the latest version and let me know whether it works for you?
@orbiton Please also try the latest version on yours and let me know if that resolves for you.
Iâm asking for feedback on this before I post it to bigfix.me, because every time I update it on bigfix.me the new version gets a new download link, so I want it to be fairly static before I copy it there.
@JasonWalker Sorry, I have been off since Thursday.
The Linux OSes we have are RH and CentOS.
I dont know if the scan is the issue or if the analysis is. We ran the scan and it says complete but the analysis does not show the results.
We need to get used to this. Seems like these kinds of libraries will be the new attack vector for threat actors.
Are the Linux machines subscribed to the site containing the Analysis?
Can you run the relevance from the Analysis against some of the scanned machines, either with the WebUI Query app or the local Linux QNA utility? Iâd like to check whether the output files that Iâm expecting were actually createdâŚ