Log4j CVE-2021-44228 Detection and Mitigation

JasonWalker 2021-12-10 17:59:08 UTC #1

Please see the disclaimer on our Community Content efforts in detecting and mitigating these Log4j vulnerabilities at Log4j Vulnerability Identification and 3rd Party Remediation Solution Testing Statement

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

This CVE can affect Log4j components earlier than version 2.15.0. Log4j is embedded in many Java products.
We have developed an alpha Scan Task and Results Analysis to attempt to identify problematic Log4j components.

**Links to latest versions of custom content at https://bigfix.me have been moved to the summary Forum post at Log4j CVE-2021-44228, CVE-2021-45046 Summary Page **

Log4j CVE-2021-44228, CVE-2021-45046 Summary Page

How to scan for the vulnerable Log4j library

How to find the log4j version from windows and linux using bigfix

CVE-2021-44228 Log4j impacts on BigFix

FIND FILE on ANY DIR and ANY DRIVE

Log4j CVE-2021-44228, CVE-2021-45046 Summary Page

fermt 2021-12-10 18:04:24 UTC #2

We are working on this right now and I can test your content. Will report back…

JasonWalker 2021-12-10 18:07:13 UTC #3

This method does assume that the log4j-core-X.jar files are using default filenames and that the version can be parsed from the filename. It warns if the version is missing from the filename.

The vulnerability can be mitigated by either updating Log4j to 2.15.0 or higher, or by setting a JVM option at runtime. I’m not attempting to find JVM instances or configurations to check whether the log4j2.formatMsgNoLookups option has been applied as a workaround.

JasonWalker 2021-12-10 18:09:39 UTC #4

Also, for UNIX/Linux scans, the ‘find’ command I’m using excludes walking down remote NFS mounts. Take care if using another remote filesystem type like GPFS or UNC/Samba, I don’t have a way to test those yet. If there are other ‘find’ options to exclude those I’d welcome the feedback.

fermt 2021-12-10 18:19:53 UTC #5

The Analysis is Windows Only. Is that intentional even though the Fixlet will run scans on Linux systems?

JasonWalker 2021-12-10 18:24:06 UTC #6

Thanks, that was just brought to my attention. It was a copy/paste issue as I had reused the analysis from the SolarWindws IoC scan.

I have updated the Analysis at bigfix.me. You can re-download, or just change the relevance to that the ‘windows of operating system’ part out.

fermt 2021-12-10 18:36:04 UTC #7

First QA scans brought true positives to the analysis. We are testing a little broader now.

ACollazo 2021-12-10 18:36:37 UTC #8

To understand this correctly, I’m importing the download and executing as an analysis?

JasonWalker 2021-12-10 18:37:52 UTC #9

Download, import, and execute the Task (Testing first!)
Download, Import, and Activate the Analysis to read the results

jcook 2021-12-10 18:40:33 UTC #10

This is working great. Thanks Jason.

ACollazo 2021-12-10 18:44:44 UTC #11

I am importing the task. When I click “OK,” the window just hangs.

ACollazo 2021-12-10 19:09:23 UTC #12

Anyone else having this issue?

ACollazo 2021-12-10 19:27:40 UTC #13

Disregard my posts, guys. I successfully imported the task and am running it.

ACollazo 2021-12-10 19:50:18 UTC #14

Any way to write the version number of Log4j, by any chance?

jcook 2021-12-10 19:53:04 UTC #15

What version are you looking for? The Analysis returns the filename and the .jar is named according to the version. Here is an example “C:\Program Files\FME\plugins\log4j-core-2.13.3.jar”. Is that what you are looking for?

ACollazo 2021-12-10 20:09:11 UTC #16

We are looking for the version of the RPM for log4j on Linux as well as the version of installed Log4j on Windows.

brolly33 2021-12-10 20:20:36 UTC #17

@ACollazo Consider a WebUI Query or analysis for RPM version on non windows?

versions of packages "log4j" of rpm

For “installed” on windows, assuming the installer property registers with Windows, consider:

(pathnames of it, versions of it) of regapps  whose (name of it as lowercase contains "log4j")

JasonWalker 2021-12-10 20:33:51 UTC #18

I think it might be unusual for Log4j to be installed on its own, it may not appear in rpm or regapps, since it would usually be embedded in another product…

brolly33 2021-12-10 20:39:39 UTC #19

@JasonWalker I agree that log4j is very unlikely to show up as an installed application.
It’s a library called by java applications for logging and would be packaged with the application.

ACollazo 2021-12-10 21:39:46 UTC #20

Hi Jason, where would I find the results file on a Windows server, if I may trouble you, please.