How to scan for the vulnerable Log4j library

sryn 2021-12-10 07:06:18 UTC #1

Regarding RCE 0-day exploit found in log4j, a popular Java logging package, starting a thread for those scanning for the vulnerable library in their environments. Does BigFix itsself use Log4j anywhere?

exists files whose (name of it as lowercase contains "log4j") of folders ... something something?

JasonWalker 2021-12-10 14:54:38 UTC #2

I’d avoid using the ‘descendants’ inspectors. Using Relevance to scan the whole disk can be problematic, either timing-out with no results or locking up the client so it can’t process anything else.

I’d look to use either BigFix Inventory (which already has the tools for scanning the disk), or creating a distinct scan action like the examples we built for the SolarWinds detections in the thread at DHS Emergency Directive 21-01 - Sunburst - SolarWinds thread

Basically an action that runs ‘dir /s’ on Windows or "find / " on Linux to look for the files, output the results to a text file, and then perform relevance to look at versions/vulnerabilities from the text file results list.

JasonWalker 2021-12-10 14:55:54 UTC #3

Getting the version of Log4j may be problematic as well. On the Linux systems, files don’t have Version properties. I’m not sure whether .JAR files do on Windows either. May need a utility to extract the manifest.xml from the JAR files we find.

JasonWalker 2021-12-10 18:00:54 UTC #4