add this to the command line --fix --force-fix
I grabbed the logpresso fixlet and analysis from the github site. Is that the correct place to pull from?
I have both BES files from github imported and tried testing against one endpoint. The scan worked â created a file on the endpoint listing the copies of the file and each shows as having been mitigated. The analysis for the same box displays .
yes, github is the place.
I just released an updated version of the scanner for both Linux and Windows. Same links as before:
It looks like logpresso only outputs if vulnerable versions are found. Correct?
Iâve updated the shell-script based analysis results, see summary at Log4j CVE-2021-44228, CVE-2021-45046 Summary Page
- Added hashes for versions 2.12.2 and 2.16.0
- Add 2.15.0 as âPotentially Vulnerableâ.
- Exclude 2.12.2 as âPotentially Vulnerableâ.
Again, with the forward work focusing on Logpresso, this scan method and analysis result are mostly deprecated but may still be useful so I have not removed them.
I think you may have a problem launching the scan. Iâd still expect an output to be created.
Logpresso CVE-2021-44228 Vulnerability Scanner 1.7.0 (2021-12-17)
Scanning directory: / (without /cdrom, /dev, /mnt, /proc, /sys, /sys/fs/cgroup/blkio, /sys/fs/cgroup/cpu,cpuacct, /sys/fs/cgroup/cpuset, /sys/fs/cgroup/devices, /sys/fs/cgroup/freezer, /sys/fs/cgroup/hugetlb, /sys/fs/cgroup/memory, /sys/fs/cgroup/net_cls,net_prio, /sys/fs/cgroup/perf_event, /sys/fs/cgroup/pids, /sys/fs/cgroup/systemd, /tmp, /dev, /dev/shm, /run, /sys/fs/cgroup, /run/user/1000, /media/cdrom)
Skipping broken jar file /home/jason/log4j-core-2.13.0.jar ('zip file is empty')
Scanned 13992 directories and 161362 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
This output is for a file that is supposed to be 2.16.0:
>log4j2-scan.exe c:\REDACTED\sqldeveloper-21.4.1.349.1822-x64\sqldeveloper\lib\log4j-core.jar
Logpresso CVE-2021-44228 Vulnerability Scanner 1.7.0 (2021-12-17)
Scanning directory: c:\REDACTED\sqldeveloper-21.4.1.349.1822-x64\sqldeveloper\lib\log4j-core.jar
Scanned 0 directories and 1 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.02 seconds
Ok with a non-vulnerable version I think thatâs the expected output.
You might try adding the --trace
parameter if youâd like to test that it really is examining the file, or scan a vulnerable version alongside it, but that output looks good to me.
(and, I gotta say I hope I never have to deal with the vendor stripping the version numbers off of the filename)
Third CVE
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
This one affects Log4j 1.x in specific non-default configurations. We are aware of this. Current guidance is to upgrade to 2.16.0, Iâm not expecting workarounds in the end-of-life 1.x versions.
Jason, Was the entry for 2.16 added as a match that means you are on the latest version whereas the all 2.15 entries and below mean - vulnerable?
Yes thatâs right.
Also 2.12.2 is also considered âfixedâ, where 2.12.2 supports JRE 7 while 2.16.0 requires JRE 8 or higher. Both are accounted for in the Analysis.
Thanks for the clarification. One other thing we noticed was a ânot matchedâ verdict for 2.15 as follows:
C:\Program Files\Code42\lib\log4j-core-2.15.0.jar, 419a8512895971b7b4f4f33e620d361254e5c9552b904b0474b09ddd4a6a220b, Not Matched
Itâs because the hash doesnât match the one in the property (make sense). So I am wondering is there more than one version 2.15 out there or should we consider all other ones not matching âbadâ?
We have quite a lot of ânot matchedâ from libraries that at are binary-bundled with vendor apps.
Not sure if this was previously mentioned but the BFI 10.0.7 has the remediation for CVE-2021-44228: BigFix Inventory has a remediation for Log4j Vulnerability CVE 2021-44228
In addition for detecting the Log4j vulnerability in other products the BFI development team has created a separate post for custom template signatures:
The logpresso scan utility does seem to find vulnerable versions bundled into other JAR files, but it wonât find those that have been compiled into a binary like an EXE but that is very very hard to detect.
@jgstew ran the logpresso task on a few windows and linux machines as a test. On the analyses side for windows I am seeing a few error results in the analysis:
The expression could not be evaluated: File error "classFileIOError" on "C:\Program Files(x86)\BigFix Enterprise\Bes CLient\BPS-Scans\results-log4j2-scan.txt": "Windows Error 0x20%: The process cannot access the file because it is being used by another.
When I go to the system I can see the file exists.
Wondering if others are seeing this too?
That probably indicates the scan was still running and had the file locked when the analysis was evaluated.
For a quick workaround, right-click those computers and âSend Refreshâ to have them re-evaluate, or wait for the next evaluation period.
We should be able to new a new version of the Analysis out tomorrow to use âlocked linesâ rather than âlinesâ of file.
Thanks for clarification on that. I am seeing results now from my Linux systems with some unbelievable elapsed times. Which seems to be more a product of the scanner itself vs the bigfix content. But is it really that quick? Here is the output from 2 linux systems one with affected files the other without.
Server 1:
File reads:
Logpresso CVE-2021-44228 Vulnerability Scanner 1.7.0 (2021-12-17)
Scanning directory: / (without /cdrom, /dev, /mnt, /proc, /sys, /sys/fs/cgroup/blkio, /sys/fs/cgroup/cpu,cpuacct, /sys/fs/cgroup/cpuset, /sys/fs/cgroup/devices, /sys/fs/cgroup/freezer, /sys/fs/cgroup/memory, /sys/fs/cgroup/net_cls,net_prio, /sys/fs/cgroup/perf_event, /sys/fs/cgroup/pids, /sys/fs/cgroup/rdma, /sys/fs/cgroup/systemd, /sys/fs/cgroup/unified, /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup)
Scanned 21397 directories and 175881 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 1.26 seconds
Property Result = <none>
Server 2:
File Reads:
Logpresso CVE-2021-44228 Vulnerability Scanner 1.7.0 (2021-12-17)
Scanning directory: / (without /cdrom, /dev, /mnt, /proc, /sys, /sys/fs/cgroup/blkio, /sys/fs/cgroup/cpu,cpuacct, /sys/fs/cgroup/cpuset, /sys/fs/cgroup/devices, /sys/fs/cgroup/freezer, /sys/fs/cgroup/memory, /sys/fs/cgroup/net_cls,net_prio, /sys/fs/cgroup/perf_event, /sys/fs/cgroup/pids, /sys/fs/cgroup/rdma, /sys/fs/cgroup/systemd, /sys/fs/cgroup/unified, /dev, /run, /dev/shm, /run/lock, /sys/fs/cgroup)
[] Found CVE-2021-44228 vulnerability in /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar, log4j 2.11.1
[] Found CVE-2021-44228 vulnerability in /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.9.1.jar, log4j 2.11.1
Scanned 7691 directories and 83105 files
Found 2 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.62 seconds
Property Result=
/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar, log4j 2.11.1
/usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.9.1.jar, log4j 2.11.1
Tested the scan on AIX and it doesnât show any applicable machines on it. Any suggestions to modify so that a scan can be run?