The logpresso utility handles this case and more.
1 Like
report on class, with the option to fix
1 Like
A fixlet using logpresso would be a big help.
2 Likes
What I read yesterday is that Apache is removing the JNDI class altogether in Version 16. That is why I thought it would be safer to remove the class from the core files detected, because the filename will stay the same and other than missing the jndi class all other components would be the expected version of the application using it. I know it’s a risk, and make break functionality, but I am only concerned about workstations at this moment, and I’m trying to reduce the risk to our company. I renamed the class in a jar file yesterday so that I could test the zip command. Of course it didn’t work, but it did with 7z, which we have on all of our workstations. Once edited, the core file has a new current date. I am just not good at writing complex dos commands that would tack the required stings in front and after each line of the resulting path lines of your search task.
1 Like
Can you provide an example few lines from the results from the search task? I don’t have one handy at the moment.
Also, the logpresso thing I’m working on will do this and more.
If anyone has example command line options for running the logpresso utility that would be cool. I’m working on the action side of things right now.
BFI team has produced custom Signatures, hosted at BigFix.me.
See updated links at Log4j CVE-2021-44228, CVE-2021-45046 Summary Page
2 Likes
I cannot stress enough how un-tested this is. But I’ve made a Task (on Windows) that will parse the earlier scan results, find log4j-core-2.x.jar files that are not 2.16.0, and replace those files.
The original file is backed up to log4j-core-2.x.jar-disabled, and the new version keeps the old version’s filename. That is an attempt to let the new version work with older configuration files.
I’m ready for a few brave souls to try it out. No warranty, at your own risk, etc.
2 Likes
for windows (this is just me testing), this gives me what i need
log4j2-scan.exe --drives c > “C:\temp\Logpresso\output.txt”
analysis would be something like this (obviously cleaned up)
//Vulnerable files
q: preceding texts of firsts “,” of following texts of firsts "vulnerability in " of lines of file “Output.txt” of folder "C:\Temp\Logpresso"
A: C:\Temp\cis-cat-full-2019\ciscat-full-bundle-2019-01-17-v3.0.55\cis-cat-full\lib\log4j-core-2.3.jar
A: C:\Temp\cylance\cis-cat-full-2019\ciscat-full-bundle-2019-01-17-v3.0.55\cis-cat-full\lib\log4j-core-2.3.jar
T: 3.995 ms
//Mitigated files
q: preceding texts of firsts “,” of following texts of firsts “vulnerability in " of lines whose (it as lowercase contains " (mitigated)” as lowercase) of file “Output.txt” of folder "C:\Temp\Logpresso"
A: C:\Temp\cis-cat-full-2019\ciscat-full-bundle-2019-01-17-v3.0.55\cis-cat-full\lib\log4j-core-2.3.jar
A: C:\Temp\cylance\cis-cat-full-2019\ciscat-full-bundle-2019-01-17-v3.0.55\cis-cat-full\lib\log4j-core-2.3.jar
T: 1.287 ms
1 Like
C:\Program Files\Code42\lib\log4j-core-2.13.3.jar
C:\sqldeveloper\sqldeveloper\lib\log4j-core.jar
C:\Users%username%\Downloads\sqldeveloper-19.2.1.247.2212-x64\sqldeveloper\sqldeveloper\lib\log4j-core.jar
SCAN_COMPLETE
1 Like
I changed the username to var; that’s not the way it writes to the CVE-2021-44228.txt file.
1 Like
Man meets machine ! You are awesome! I have plenty of test targets. Going to try this out now
1 Like
Here is a work in progress fixlet/task to run the Logpresso log4j2-scan.exe but without the actual run command:
Working to add and test the run command now. Hope to have something in the next hour or so.
1 Like
Amazing thanks you. Linux is just as high priority 
1 Like
Yep, the fixlet/task for Linux should be almost identical. Just need a tar command to extract instead of unzip.exe and using /tmp instead of /Windows/Temp
Will work on Linux next.
Just need to target fixed disks on Windows and exclude NFS on Nix.
1 Like
Yeah, that is a challenge to craft the command to do the right thing for *nix, potentially scan / but exclude mounts
…and cifs
…and gpfs
(* and ‘find’ doesn’t recognize the ‘cifs’ filesystem as a type directly, at least on some platforms)
In the case of the Logpresso utility on *nix, it might just be as simple as targeting / but excluding mounts and drives so that you scan only the equivalent of “C: Drive” on windows.
I would love help for what the best command example for Logpresso would be to achieve this on *nix.
This has been updated for running the logpresso utility and including an action for windows:
I need to replicate the same for *nix and create an analysis to read the results.
Example results:
Logpresso CVE-2021-44228 Vulnerability Scanner 1.6.2 (2021-12-16)
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin\jdbcserver.jar, log4j 2.13.1
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin\oauthservice.jar, log4j 2.13.1
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin32\jdbcserver.jar, log4j 2.13.1
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\APP_EXAMPLE\bin32\oauthservice.jar, log4j 2.13.1
Running scan (9s): scanned 7403 directories, 66708 files, last visit: C:\Program Files\APP_EXAMPLE\Local\Maps\CN\normal\5\14
Running scan (20s): scanned 15260 directories, 139207 files, last visit: C:\ProgramData\Microsoft\Windows\AppRepository\Packages\FOLDER_EXAMPLE1
Running scan (30s): scanned 29093 directories, 197700 files, last visit: C:\Windows\servicing\LCU\FOLDER_EXAMPLE2
Running scan (42s): scanned 43760 directories, 252254 files, last visit: C:\Windows\servicing\LCU\FOLDER_EXAMPLE3
Running scan (52s): scanned 59217 directories, 322124 files, last visit: C:\Windows\WinSxS\FOLDER_EXAMPLE4
Running scan (62s): scanned 78733 directories, 379013 files, last visit: C:\Windows\WinSxS\Temp\InFlight\FOLDER_EXAMPLE5
Scanned 89523 directories and 387921 files
Found 4 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 65.84 seconds
Notice how this found affected JARs that are NOT named for log4j
2 Likes
I have made a minor edit to target all fixed disks (untested currently)
runhidden CMD /C {windows folder}\Temp\log4j2-scan.exe --drives {concatenations "," of preceding texts of firsts ":" of names of drives whose (type of it = "DRIVE_FIXED")} > "{parameter "ListFile"}" > "{parameter "ListFile"}"
2 Likes