Log4j CVE-2021-44228 Detection and Mitigation

JasonWalker 2021-12-17 19:49:44 UTC #305

Yes that’s true. Suggest you be careful about testing in your environment, especially on your VMs, and stagger your scans across systems as needed.

You should be doing that generally as well, even for things like patching.

keepthemomentum 2021-12-17 19:51:46 UTC #306

/home/bamboo/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar

This is the path.

bigfixforum 2021-12-17 19:53:35 UTC #307

If we have bigfix insight which collects OS metadata that would be much easier to know where the jar or any other file is present. we have told security that we would like to install that bigifix insight package across the nodes. let see how it goes.

JasonWalker 2021-12-17 20:04:00 UTC #308

Got it, thanks.
The relevance is actually matching on the “files-2.1” and retrieving version “2.1”. Should have an update in an hour or so.

keepthemomentum 2021-12-17 20:14:39 UTC #309

Thank you Jason. I will test it again after your update.

bigfixforum 2021-12-17 20:31:13 UTC #310

some thing like this, this will look for “.jar”

((substrings separated by “” of substrings separated by “.jar” of it ) of first matches (regex("[[:digit:]]{1,3}(.[[:digit:]]{1,3}){1,3}.jar"))

Q: it whose (it >= “2.16.0”) of ((substrings separated by “” of substrings separated by “.jar” of it ) of first matches (regex("[[:digit:]]{1,3}(.[[:digit:]]{1,3}){1,3}.jar")) of “/files-2.1/log4j-core-2.16.0.jar”)
A: 2.16.0

JasonWalker 2021-12-17 20:40:08 UTC #311

Please see the disclaimer on our Community Content efforts in detecting and mitigating these Log4j vulnerabilities at Log4j Vulnerability Identification and 3rd Party Remediation Solution Testing Statement

jgstew 2021-12-17 21:08:08 UTC #312

Do you mean BigFix Inventory?

bigfixforum 2021-12-17 21:11:45 UTC #313

yah one of those package. which does OS metadata.

Mario 2021-12-17 21:40:52 UTC #314

Likewise, had the same idea for custom text box(es) but one step at a time. I’ll try port my windows version hopefully sometime today. After sleeping on it, still seems like good option and should be relatively little work

arnars 2021-12-17 22:05:49 UTC #315

Hi guys! First of all we are all so grateful for the hard work that you are doing to help us novices keep our customers happy! A co-worker told me to day he heard people talking about how lucky we were to decided to opt for Bigfix a few years back when a decision was being made on which endpoint management software should be used at our corporation and I agree!

Last Monday we decided that we’d go for the removal of the jndilookup.class way in situations where we couldn’t update the software since most of our customers use 3rd party software containing the log4j library. We started testing out the Logpresso-based fixlet as soon as @jgstew published it on Github with great results before slowly and cautiously expanding out. We have been scanning all servers and workstations in our environment and our customers as well and have in many cases deployed the fixlet with the --force-fix switch with no reports of applications starting to misbehave…yet

Next up are those macOS machines. I’ve been spending some time tonight trying to deploy just the logpresso jar file provided on git with no results at all… I’ve tried both modifying the Linux-Logpresso fixlet as well as simply deploying a shell script with one line.

Do you guys know if there is a trick to invoke a java -jar command on a macOS, is it not possible or is my insomnia causing all of this?

Mario 2021-12-17 22:12:07 UTC #316

Do you have java on your Mac?

arnars 2021-12-17 22:28:41 UTC #317

Yes I have. Our thought was deploying Java the latest Jave to our clients before running the java -jar logpresso.jar file and that way being able to scan the Macs… Do you know happen to know of any other way to do this on Macs ?

Mario 2021-12-17 22:30:41 UTC #318

My recommendation is not not deploy java.
It is a nightmare.

You want portability so it’s gone forever at the end of the scans.
Unless you intend to maintain and update it constantly once installed this is not the right way forward.

arnars 2021-12-17 22:35:07 UTC #319

No we were actually intending to just remove Java from the Macs in a few days, weeks until the storm settles. Is it possible to use the Logpresso without Java on Macs ?

Mario 2021-12-17 22:36:35 UTC #320

I’m working on porting to Linux the work I already did on windows to run in java using openjdk jre compressed archives.

However it is not done yet, like almost everyone, been a tough week

arnars 2021-12-17 22:43:03 UTC #321

Oh ok that’s awesome, can’t wait!
Been a long week indeed, can’t wait to get some good night sleep!

jgstew 2021-12-17 22:57:34 UTC #322

That is amazing!

I would suggest trying to get it to work in terminal manually on a mac and get that refined before trying to do it with bigfix. We are headed down this path but haven’t got there yet.

This is what @JasonWalker and I hope to be doing soon, but if people have examples for various platforms that would help us a ton, especially how to invoke portable java on various obscure non-windows platforms.

arnars 2021-12-17 23:05:39 UTC #323

Yeah I forgot to mention that… I have already tried running those commands with out any issues on the mac but when ever I deploy it it just won’t work… I started thinking if this was something like when running stuff under System context on Windows or if it’s something with java… Also tried running this as root and it work fine
Strange stuff

jgstew 2021-12-17 23:09:02 UTC #324

What is the exact command that works fine on Mac manually? I can help adapt it to bigfix content.

What did you try in an action that didn’t work?

In generally, I would recommend something in the format of:

/bin/sh -c "cd folder && command > output.txt"

MBP:/ james$ /bin/sh -c "cd /tmp && echo testing123 > test.txt"
MBP:/ james$ cat /tmp/test.txt
testing123

I ran this from / not from /tmp yet it still runs within /tmp due to it starting with cd /tmp && which is a tip I picked up originally from @it_cat long ago.