Hi Team,
Results are not coming for linux.Scan got completed but scan results are showing none.
We chcked manually the jar exists but not getting from the task and analysys.
/opt/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.4.0-java/lib/log4j/log4j/1.2.17/log4j-1.2.17.jar
/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-1.0.0-java/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
Please check my note a while up about the search filter.
Log4j 1.2 is not affected, this only looks for log4j-core-X versions.
parameter âFilePatternâ=âlog4j-core*.jarâ this one already in the action script right.Can you please help me
parameter âFilePatternâ=âlog4j-core*.jarâ ,can I use parameter âFilePatternâ=âlog4j *.jarâ
Sure, feel free to customize to your needs.
If you find additional modules that are impacted, that are found in your filter but not in the original, please do let me know!
if I customized the file pattern with log4j,I think analysys also need to modfiy right?
I am being challenged with potentially adding to the Windows System environment variables setting:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
Has anyone done this, or have a relevance to check for its existence on a windows system?
Any feed back on successfully mitigating the vulnerability, considering the potential other things that could make this ineffective?
Thank you
We are looking into this right now.
There are actually 3 different environment variables that you would need to merge this option into in order to be certain to disable it as far as I can tell.
This seems to be the safest and easiest option to globally disable this vulnerability.
"JDK_JAVA_OPTIONS";"_JAVA_OPTIONS";"JAVA_TOOL_OPTIONS"
You can read these env vars with an analysis property like follows: ( I havenât fully tested this relevance yet, but it should be universal for client 8.1.535.0+ )
values of (variables ("JDK_JAVA_OPTIONS";"_JAVA_OPTIONS";"JAVA_TOOL_OPTIONS") of it; (if (windows of operating system) then (x64 variables ("JDK_JAVA_OPTIONS";"_JAVA_OPTIONS";"JAVA_TOOL_OPTIONS") of it) else NOTHINGS) ) of environments
That said, you actually need to handle each variable as a separate case, and you need to âappendâ the new option into it while keeping all the existing ones, but also remove any existing LOG4J_FORMAT_MSG_NO_LOOKUPS configurations if there is one that is actually setting it to false for some reason.
You might actually want 3 separate fixlets/tasks to handle all 3 env vars independently.
I donât currently have example systems with results for this relevance, so it is hard for me to know what a complicated existing env var setting might look like.
It would be easiest to create a fixlet/task that would set this setting if these env vars do not yet exist, but harder to do if they do already have values within them that should be preserved.
No, the Analysis will still report the results - except I specifically exclude three extraneous hits from my filter (-javadoc.jar ; -javatest.jar; -source.jar)
Thanks Jason.
I will try if required
I am also looking at content for that (on Windows).
Can you confirm the value youâre expecting to add, maybe include a source? The guidance Iâm seeing refers to setting
-Dlog4j.formatMsgNoLookups=true
in the âJAVA_TOOL_OPTIONSâ variable, and possibly also in _JAVA_OPTIONS and JDK_JAVA_OPTIONS as @jgstew notes
I was looking at this too and took the reference from MS
Workarounds
To help mitigate the risk of this vulnerability until the more complete security update can be applied, customers should consider the following mitigations steps. A service restart will be required for these changes to take effect. These workarounds should not be considered a complete solution to resolve this vulnerability:
In case the Log4j 2 vulnerable component cannot be updated, Log4J 2 versions 2.10 to 2.14.1 support the parameter log4j2.formatMsgNoLookups to be set to âtrueâ, to disable the vulnerable feature. Ensure this parameter is configured in the startup scripts of the Java Virtual Machine:
-Dlog4j2.formatMsgNoLookups=true.
Alternatively, customers using Log4j 2.10 to 2.14.1 may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=âtrueâ environment variable to force this change.
Kubernetes administrators may use âkubectl set envâ to set the LOG4J_FORMAT_MSG_NO_LOOKUPS=âtrueâ environment variable to apply the mitigation across Kubernetes clusters where the Java applications are running Log4j 2.10 to 2.14.1, effectively reflecting on all pods and containers automatically.
For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
I update Bigfix Compliance and VM Manger Tool but the version is 2.13.3. Should it not be 2.15.0?
Interesting, this seems like a cleaner option to use. Can much more easily tell if it is exists or not and if it is set to true or not.
I can handle the actionscript to set this on windows, but for everything else, especially UNIX, how do you set the env vars on the command line or file?
Having to use a file instead of a command is kind of a pain in some cases if the env var already exists.
I wonder if the env var must be set to exactly "true" or if it is case insensitive?
This would be TRUE on any system that needs this env var, and I am assuming it is case sensitive for now:
not exists unique values whose(it contains "true") of values of (variables ("LOG4J_FORMAT_MSG_NO_LOOKUPS") of it; (if (windows of operating system) then (x64 variables ("LOG4J_FORMAT_MSG_NO_LOOKUPS") of it) else NOTHINGS) ) of environments
I would say this action will require a restart for 2 reasons. One is that the bigfix client wonât update the results of env vars until restart of the agent I believe, but also, you must restart any services that launch JVMs for this setting to get picked up, and there might be an unknown number of services that would be affected, so it is hard to restart only the services that need it.
I havenât tested this, but this is what I came up with for actionscript:
// Note, this currently only handles windows, but could be expanded to handle other cases.
continue if {windows of operating system}
if {windows of operating system}
waithidden CMD /C setx LOG4J_FORMAT_MSG_NO_LOOKUPS true /m
if {x64 of operating system}
action uses wow64 redirection False
waithidden CMD /C setx LOG4J_FORMAT_MSG_NO_LOOKUPS true /m
endif
action requires restart
endif
// TODO: add actionscript to set env vars on non-windows:
The idea is to remove the continue if later once non-windows use cases are handled, as well as move the action requires restart to after the endif
This will be relevant on ALL systems, even those without apparent Java installed, but that is intended.
Seems like this command didnât work for me:
CMD /C set LOG4J_FORMAT_MSG_NO_LOOKUPS="true"
and this one doesnât keep the quotes?
CMD /C setx LOG4J_FORMAT_MSG_NO_LOOKUPS "true" /m
Is setx available on most windows OSes? Not sure how far back it goes.
Looking closer to the referenced MS doc, seems like the quotes are not needed.
Fixlet to apply this mitigation on windows here: bigfix-content/fixlet/set LOG4J_FORMAT_MSG_NO_LOOKUPS env var to TRUE - Universal - CVE-2021-44228 mitigation.bes at main ¡ jgstew/bigfix-content ¡ GitHub
Preserving quotes is a weirdness between CMD and SETX. This should work but itâs not at all clear to me that the value should have the literal doublequotes in it.
waithidden cmd.exe /c "setx /M LOG4J_FORMAT_MSG_NO_LOOKUPS """true""""
yeah, it seems it should NOT have the literal quotes in it now that I look closer.
If I recall correctly, setx goes at least as far back as XP/2003. Prior to that, I think it was an add-on from the Resource Kit tools.
This seems to be working for me on Win10 and Win11:
Not 100% sure how to test that it is getting picked up properly by java / log4j
Here is a fixlet that implements the detection of this mitigation on all platforms, but implements the workaround on all windows platforms here:
This needs actionscript added to set the env var on non-windows platforms. If anyone could provide examples, that would be helpful.
if {mac of operating system}
if {not exists lines containing "LOG4J_FORMAT_MSG_NO_LOOKUPS" of files "/etc/profile"}
wait /bin/sh -c '/bin/echo "export LOG4J_FORMAT_MSG_NO_LOOKUPS=true" >> /etc/profile'
endif
endif
if { unix of operating system }
if { exists folders "/etc/profile.d" AND not exists lines containing "LOG4J_FORMAT_MSG_NO_LOOKUPS" of files "/etc/profile.d/CVE-2021-44228.sh" }
wait /bin/sh -c 'echo -e "export LOG4J_FORMAT_MSG_NO_LOOKUPS=true" > /etc/profile.d/CVE-2021-44228.sh'
endif
endif
Not sure if AIX, HP-UX, Solaris, or others are special cases.