Log4j CVE-2021-44228 Detection and Mitigation

manny 2021-12-10 21:50:05 UTC #21

So far so good Jason. Your scan/analysis has accurately uncovered some positives. Thanks so much mate!

fermt 2021-12-10 21:52:02 UTC #22

We have run the fixlet on more than 3k servers and we will go trough the results to validate them.

Special thanks to @JasonWalker for delivering this very quickly!

JasonWalker 2021-12-10 22:04:20 UTC #23

It’s in a folder relative to BES Client; by default at C:\Program Files (x86)\BigFix Enterprise\BES Client\BPS-Scans\CVE-2021-44228.txt

EMPOWER 2021-12-10 22:08:49 UTC #24

Slow rolled lab/test and once confirmed no issues successfully ran on ~10k nix and ~3k win servers. Lots of work to do now contacting app owners. Huge thanks to @JasonWalker!!!

jbruns2017 2021-12-10 23:10:19 UTC #25

What about Bigfix products themselves? Are any affected by CVE-2021-44228?

PShirmey 2021-12-11 00:42:20 UTC #26

I had some false negatives on servers that did not have the version in the filename, so I removed the last - before the * in the file matching pattern. log4j-core*.jar instead of log4j-core-*.jar

JasonWalker 2021-12-11 01:10:12 UTC #27

Thanks very much for checking, I’ve updated the copy of the scan task at https://bigfix.me/fixlet/details/26889

The Analysis should report “potentially affected” for any of the log4j-core.jar files as they do not specify their version.

atlauren 2021-12-11 01:53:30 UTC #28

FWIW, I’ve added exists folder "BPS-Scans" of storage folder of client to the analysis’ relevance, just so that it only slurps in machines that have previously run the scan.

atlauren 2021-12-11 02:25:32 UTC #30

exist (folder "BPS-Scans" of storage folder of client) whose (exists (file "CVE-2021-44228.txt" of it) whose ( exists (if exists property "locked lines" then locked lines of it else (lines of it)) whose (it does not start with "SCAN_COMPLETE")))

cjwolford 2021-12-11 03:09:23 UTC #31

I remember fumbling through it before, but what’s my easiest way to export the paths to excel instead of just multiple results?

Austin4778 2021-12-11 03:41:08 UTC #32

I opened a support case on this one. The only products currently discovered as vulnerable are BFI and RC. Waiting on confirmation on the rest. Quote from case:

We have received your case regarding your concern with the discovered vulnerability in log4j. Currently, the products that show Log4j being used are BFi and Remote Control but we are still confirming with other products if they could also be affected by the issue.
Hypothetically anything that uses JVMs is vulnerable. The current workaround is as follows:
find the jvm.option file for the product you are using, update with -Dlog4j2.formatMsgNoLookups=true on a separate line in the file. Restart server This is the workaround until we get the updates out for all the effected products. From https://isc.sans.edu/diary/28120 :
due to exploitation being relatively simple, we would suggest that you try to apply one of the workarounds as soon as possible: A new log4j library has been released, version 2.15.0 that fixes the vulnerability. This is, of course, the best fix, but it might require recompilation and redistribution of packages
If you are using version 2.10.0 you can set a property called formatMsgNoLookups to true to prevent lookups. This can be passed as a parameter too.
For older versions you will need to modify logging patterns as specified here: https://issues.apache.org/jira/browse/LOG4J2-2109

nicksberger 2021-12-11 13:53:02 UTC #34

Great work so far, anyone have the code to determine if the workaround config has been applied ?

ifreeman 2021-12-11 14:55:16 UTC #35

This is great! Some of my servers are reporting for the pathname analysis even though the folder/file exists with text in it. Any suggestions on how to figure out why they are reporting ?

Jstev 2021-12-11 16:00:38 UTC #36

Any thoughts about gathering the hash of the matched files so that they can be compared against the affected hash files?

github.com

mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/md5sum.txt

# 2.X versions

2addabe2ceca2145955c02a6182f7fc5  ./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar
5b1d4e4eea828a724c8b0237326829b3  ./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar
ce9e9a27c2a5caa47754999eb9c549b8  ./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar
1538d8c342e3e2a31cd16e01e3865276  ./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar
9cb138881a317a7f49c74c3e462f35f4  ./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar
578ffc5bcccb29f6be2d23176c0425e0  ./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar
5b73a0ad257c57e7441778edee4620a7  ./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar
e32489039dab38637557882cca0653d7  ./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar
db025370dbe801ac623382edb2336ede  ./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar
152ecb3ce094ac5bc9ea39d6122e2814  ./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar
cd70a1888ecdd311c1990e784867ce1e  ./apache-log4j-2.0-bin/log4j-core-2.0.jar
088df113ad249ab72bf19b7f00b863d5  ./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar
de8d01cc15fd0c74fea8bbb668e289f5  ./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar
fbfa5f33ab4b29a6fdd52473ee7b834d  ./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar
8c0cf3eb047154a4f8e16daf5a209319  ./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar
8d331544b2e7b20ad166debca2550d73  ./apache-log4j-2.1-bin/log4j-core-2.1.jar
5e4bca5ed20b94ab19bb65836da93f96  ./apache-log4j-2.2-bin/log4j-core-2.2.jar
110ab3e3e4f3780921e8ee5dde3373ad  ./apache-log4j-2.3-bin/log4j-core-2.3.jar

This file has been truncated. show original

github.com

mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha1sum.txt

# 2.x Versions
685125b7b8bbd7c2f58259937090ac2ae9bcb129  ./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar
7058796a0aa49ea21ea2cc7bf9dece0d3b8942ae  ./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar
b5f9c15e1fb18d84193ac10e4bfb88af1724f5cd  ./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar
80b690d982b030fb2f04854407744ff44e0b72ea  ./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar
8f87799c2bd24c120812ed3d5271b743cfc999b5  ./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar
b853dec96e815981280fb9a1cc08332a6ed946f9  ./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar
1fb514bfbec10815d68953ed2fc4dd8c98ee245f  ./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar
a727fe8e718b18d541f67077c99b2ca129f77065  ./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar
f6ed9c56c8d58c4670059ddf417df23c9a78ff30  ./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar
678861ba1b2e1fccb594bb0ca03114bb05da9695  ./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar
7621fe28ce0122d96006bdb56c8e2cfb2a3afb92  ./apache-log4j-2.0-bin/log4j-core-2.0.jar
4363cdf913a584fe8fa72cf4c0eaae181ef7d1eb  ./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar
2e8d52acfc8c2bbbaa7baf9f3678826c354f5405  ./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar
895130076efaf6dcafb741ed7e97f2d346903708  ./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar
13521c5364501478e28c77a7f86b90b6ed5dbb77  ./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar
31823dcde108f2ea4a5801d1acc77869d7696533  ./apache-log4j-2.1-bin/log4j-core-2.1.jar
c707664e020218f8529b9a5e55016ee15f0f82ac  ./apache-log4j-2.2-bin/log4j-core-2.2.jar
58a3e964db5307e30650817c5daac1e8c8ede648  ./apache-log4j-2.3-bin/log4j-core-2.3.jar
0d99532ba3603f27bebf4cdd3653feb0e0b84cf6  ./apache-log4j-2.4-bin/log4j-core-2.4.jar

This file has been truncated. show original

github.com

mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt

# 2.X versions

bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6  ./apache-log4j-2.0-alpha2-bin/log4j-core-2.0-alpha2.jar
58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae  ./apache-log4j-2.0-beta1-bin/log4j-core-2.0-beta1.jar
ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4  ./apache-log4j-2.0-beta2-bin/log4j-core-2.0-beta2.jar
dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e  ./apache-log4j-2.0-beta3-bin/log4j-core-2.0-beta3.jar
a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8  ./apache-log4j-2.0-beta4-bin/log4j-core-2.0-beta4.jar
7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b  ./apache-log4j-2.0-beta5-bin/log4j-core-2.0-beta5.jar
4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47  ./apache-log4j-2.0-beta6-bin/log4j-core-2.0-beta6.jar
473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6  ./apache-log4j-2.0-beta7-bin/log4j-core-2.0-beta7.jar
b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02  ./apache-log4j-2.0-beta8-bin/log4j-core-2.0-beta8.jar
dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d  ./apache-log4j-2.0-beta9-bin/log4j-core-2.0-beta9.jar
85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c  ./apache-log4j-2.0-bin/log4j-core-2.0.jar
db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a  ./apache-log4j-2.0-rc1-bin/log4j-core-2.0-rc1.jar
ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0  ./apache-log4j-2.0-rc2-bin/log4j-core-2.0-rc2.jar
a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d  ./apache-log4j-2.0.1-bin/log4j-core-2.0.1.jar
c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d  ./apache-log4j-2.0.2-bin/log4j-core-2.0.2.jar
8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc  ./apache-log4j-2.1-bin/log4j-core-2.1.jar
c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a  ./apache-log4j-2.2-bin/log4j-core-2.2.jar
6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2  ./apache-log4j-2.3-bin/log4j-core-2.3.jar

This file has been truncated. show original

JasonWalker 2021-12-11 17:17:58 UTC #37

I like that idea quite a bit, but I wasn’t looking forward to building this list of hashes, so thanks very much for posting them!

JasonWalker 2021-12-11 17:29:05 UTC #38

The BigFix Team has published a KB article on affected BigFix components and workarounds. Please see https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486

I’ve opened an additional Forum thread for discussion specific to the BigFix components at CVE-2021-44228 Log4j impacts on BigFix

JasonWalker 2021-12-11 18:11:13 UTC #39

I’ve updated the Analysis at https://bigfix.me/analysis/details/2998660 to take this into account.
There is a new property that shows the pathname of the detected log4j-core JAR file, the sha256 hash of the file, and the matching Apache hash version (if any).

That can be important in cases where we mitigate the problem by replacing an older log4j .JAR file with the newer 2.15.0 version, but need to keep the old version’s filename for compatibility – like we are recommending in BigFix Compliance. The Analysis can tell us the file named log4j-core-2.14.0.jar is actually the 2.15.0 file based on its hash value.

Jstev 2021-12-11 18:18:25 UTC #40

I had modified the analysis to collect the hashes then used webreports to compare them but this is better. Thanks.

bobdennedy 2021-12-11 19:17:44 UTC #41

For for clarity, this means if a device shows a result for “potentially vulnerable” and not for the new hash property, we would consider it not vulnerable. It might have applied a similar mitigation as BigFix Compliance?

Or maybe said another way, if a device has a result for the new hash property that is not , it is a better indicator of having the vulnerability?

JasonWalker 2021-12-11 19:19:16 UTC #42

It may be that the computer hasn’t yet reported back for the hash property. I would expect every result from the “Log4j file paths” entry to have a matching Hash result property.