FIND FILE on ANY DIR and ANY DRIVE

Please help me figure out how to find a file located on any drive, any directory that is named log4j*.jar.

What is the best method to locate this file?

The best method is probably to read the post at

Log4j CVE-2021-44228

Hope this helps!

2 Likes

Of course, I’m only looking for log4j-core*.jar, you could update your copy of the task if you want the other Log4j files.

1 Like

Thank you! This is perfect and very helpful. I’m testing it now.

1 Like

Some of my servers are reporting for the pathname analysis even though the folder/file exists with text in it. Any suggestions on how to figure out why they are reporting ?

I’m sorry, I’m not sure what you are asking.

If you mean that the Log4j file exists, and it appears in the scan output text file, but does not show in the Analysis result, it is probably because the Analysis property is set to evaluate “once per hour” and the text scan completed too recently. I expect that result will be reflected in the Analysis if you give it a bit more time.

You can reduce the reporting interval of the Analysis properties, but I recommend not evaluating too frequently for client performance reasons.

Thanks for answering but it’s not that. Here’s a screenshot. The result is just for the pathname is and if you hoover over the error to try to get more details you get <…>

. This is actually only happening for a particular type of system that we have which is Windows 2012 R2 ML350. We have other Windows 2012 R2 systems that work without issue. I’m trying to understand why this is happening for these systems but not sure where to start to look. Any help you can provide is greatly appreciated. Thanks again for this great fixlet/analysis. It is working well otherwise.

Can you get the details of the error message? Easiest way is to open the affected Computer in the console, the summary pane shows results from every analysis including error messages.

What version of client is on those systems? I suspect they may be lacking the “locked line of file” inspector.

They are running version 10.0.3.66. My other clients that are running this version are working beautifully (although it appears as though the jar file does not have a version property so it’s just pulling all files that exist, which is still helpful.) so it’s probably not an inspector problem.

The details of the error is just <…>
See the screenshot

This is as screenshot of the file that is created on the server with data in it. so it does actually work.

As a comparison. This is from a client that works. Same OS, Same client version, different hardware.

As you can see, the analysis is identifying all log4j jar files as potentially vulnerable (including those with the version 1.2.13 in the filename which I discovered corresponds with the actual version). I also noticed that none of these files uses a version property when you manually inspect them. Is that how you are pulling the version?

Hold the mouse over the three-dot error message and let’s see if a description pops-up

Unfortunately, nothing pops up except <…> :frowning:

Can you try to run this relevance using qna.exe (in the BES Client folder) on one of the affected machines?

(if exists property "locked lines" then locked lines of it else lines of it) whose (it does not start with "SCAN_COMPLETE") of files "BPS-Scans/CVE-2021-44228.txt" of storage folder of client

Sure… here’s a sample of the output.

C:\Program Files (x86)\BigFix Enterprise\BES Client>qna
Warning: Current console font may not display locale characters correctly.
Q: (if exists property “locked lines” then locked lines of it else lines of it)
whose (it does not start with “SCAN_COMPLETE”) of files “BPS-Scans/CVE-2021-4422
8.txt” of storage folder of client
A: C:\oracle\product\12.1.0\client_1\oui\jlib\jlib\log4j-core.jar
A: C:\oracle\product\12.1.0\client_1\sqldeveloper\sqldeveloper\lib\log4j-1.2.13.
jar
A: C:\oracle\product\12.1.0\dbhome_1\ccr\lib\log4j-core.jar
A: C:\oracle\product\12.1.0\dbhome_1\oui\jlib\jlib\log4j-core.jar
A: C:\oracle\product\12.1.0\dbhome_1\sqldeveloper\sqldeveloper\lib\log4j-1.2.13.
jar
A: C:\oracle\product\12.1.0\dbhome_1\sysman\jlib\ocm\log4j-core.jar
A: C:\oracle\product\12.1.0\grid\oui\jlib\jlib\log4j-core.jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\md\property_graph\lib\log4j-1.2-api-2.9.
0.jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\md\property_graph\lib\log4j-api-2.9.0.ja
r
A: C:\Oracle18c\product\18.0.0\dbhome_1\md\property_graph\lib\log4j-core-2.9.0.j
ar
A: C:\Oracle18c\product\18.0.0\dbhome_1\md\property_graph\lib\log4j-jcl-2.9.0.ja
r
A: C:\Oracle18c\product\18.0.0\dbhome_1\md\property_graph\lib\log4j-slf4j-impl-2
.9.0.jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\md\property_graph\lib\log4j-web-2.9.0.ja
r
A: C:\Oracle18c\product\18.0.0\dbhome_1\oui\jlib\jlib\log4j-core.jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\sqldeveloper\sqldeveloper\extensions\ora
cle.sqldeveloper.onsd\lib\log4j.jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\sqldeveloper\sqldeveloper\lib\log4j-1.2-
api.jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\sqldeveloper\sqldeveloper\lib\log4j-api.
jar
A: C:\Oracle18c\product\18.0.0\dbhome_1\sqldeveloper\sqldeveloper\lib\log4j-core
.jar
A: C:\Oracle18c\product\18.0.0\grid\oui\jlib\jlib\log4j-core.jar

Strange, no error, not a particularly long list of results or long length for any individual result… @AlanM any thoughts?

It doesn’t look like an Error message to me, just like a long string that’s not displaying.

Can you retrieve results on this property from Web Reports?
Does clearing your Console Cache and restarting the console have any effect?

Webreports displays not set

Clearing the Console Cache and restarting the console does not have any effect?