Log4j CVE-2021-44228 Detection and Mitigation

Content Authoring
1

Please see the disclaimer on our Community Content efforts in detecting and mitigating these Log4j vulnerabilities at Log4j Vulnerability Identification and 3rd Party Remediation Solution Testing Statement

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

This CVE can affect Log4j components earlier than version 2.15.0. Log4j is embedded in many Java products.
We have developed an alpha Scan Task and Results Analysis to attempt to identify problematic Log4j components.

**Links to latest versions of custom content at https://bigfix.me have been moved to the summary Forum post at Log4j CVE-2021-44228, CVE-2021-45046 Summary Page **

13 Likes
2

We are working on this right now and I can test your content. Will report backā€¦

1 Like
3

This method does assume that the log4j-core-X.jar files are using default filenames and that the version can be parsed from the filename. It warns if the version is missing from the filename.

The vulnerability can be mitigated by either updating Log4j to 2.15.0 or higher, or by setting a JVM option at runtime. Iā€™m not attempting to find JVM instances or configurations to check whether the log4j2.formatMsgNoLookups option has been applied as a workaround.

2 Likes
4

Also, for UNIX/Linux scans, the ā€˜findā€™ command Iā€™m using excludes walking down remote NFS mounts. Take care if using another remote filesystem type like GPFS or UNC/Samba, I donā€™t have a way to test those yet. If there are other ā€˜findā€™ options to exclude those Iā€™d welcome the feedback.

5

The Analysis is Windows Only. Is that intentional even though the Fixlet will run scans on Linux systems?

6

Thanks, that was just brought to my attention. It was a copy/paste issue as I had reused the analysis from the SolarWindws IoC scan.

I have updated the Analysis at bigfix.me. You can re-download, or just change the relevance to that the ā€˜windows of operating systemā€™ part out.

4 Likes
7

First QA scans brought true positives to the analysis. We are testing a little broader now.

3 Likes
8

To understand this correctly, Iā€™m importing the download and executing as an analysis?

9

Download, import, and execute the Task (Testing first!)
Download, Import, and Activate the Analysis to read the results

3 Likes
10

This is working great. Thanks Jason.

1 Like
11

I am importing the task. When I click ā€œOK,ā€ the window just hangs.

12

Anyone else having this issue?

13

Disregard my posts, guys. I successfully imported the task and am running it.

2 Likes
14

Any way to write the version number of Log4j, by any chance?

15

What version are you looking for? The Analysis returns the filename and the .jar is named according to the version. Here is an example ā€œC:\Program Files\FME\plugins\log4j-core-2.13.3.jarā€. Is that what you are looking for?

16

We are looking for the version of the RPM for log4j on Linux as well as the version of installed Log4j on Windows.

17

@ACollazo Consider a WebUI Query or analysis for RPM version on non windows?

versions of packages "log4j" of rpm

For ā€œinstalledā€ on windows, assuming the installer property registers with Windows, consider:

(pathnames of it, versions of it) of regapps  whose (name of it as lowercase contains "log4j")
2 Likes
18

I think it might be unusual for Log4j to be installed on its own, it may not appear in rpm or regapps, since it would usually be embedded in another productā€¦

4 Likes
19

@JasonWalker I agree that log4j is very unlikely to show up as an installed application.
Itā€™s a library called by java applications for logging and would be packaged with the application.

3 Likes
20

Hi Jason, where would I find the results file on a Windows server, if I may trouble you, please.