DEPRECATED - Vulnerability Scan Results: CVE-2021-44228 Log4j
Log In or Register to download the BES file, and more.

3 Votes

Versioning - This is the latest version.

1Vulnerability Scan Results: CVE-2021-44228 Log4j12/10/2021 9:52:42 AM
2Vulnerability Scan Results: CVE-2021-44228 Log4j12/10/2021 10:21:09 AM
3Vulnerability Scan Results: CVE-2021-44228 Log4j12/11/2021 10:06:23 AM
4Vulnerability Scan Results: CVE-2021-44228 Log4j12/11/2021 10:07:46 AM
5Vulnerability Scan Results: CVE-2021-44228 Log4j12/13/2021 7:45:47 AM
6Vulnerability Scan Results: CVE-2021-44228 Log4j12/13/2021 8:44:24 AM
7Vulnerability Scan Results: CVE-2021-44228 Log4j12/13/2021 10:57:04 AM
8Vulnerability Scan Results: CVE-2021-44228 Log4j12/13/2021 11:21:29 AM
9Vulnerability Scan Results: CVE-2021-44228 Log4j12/14/2021 9:37:56 AM
10Vulnerability Scan Results: CVE-2021-44228 Log4j12/16/2021 1:04:25 PM
11DEPRECATED - Vulnerability Scan Results: CVE-2021-44228 Log4j12/16/2021 3:19:21 PM

Description

DEPRECATED - See https://forum.bigfix.com/t/log4j-cve-2021-44228-cve-2021-45046-summary-page/40222 for latest

Warnings & Limitations:

  • This Analysis parses results generated by the related Task "Vulnerability Scan: Log4j CVE-2021-44228"
  • That Task uses shell scripts with 'dir /s' on Windows or 'find' on Linux/UNIX.  It only identifies vulnerable files matching the file name pattern.  Log4j libraries that have been renamed or embedded in other JAR, WAR, EAR, or ZIP files are not detected.
  • This method is largely superseded with newer "Log4j-scan / Logpresso" content.

This Analysis parses the results of a scan for vulnerable Log4j files based on CVE-2021-44228.

Versions of Log4j-core lower than 2.15.0 may be vulnerable to CVE-2021-44228 as described at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Versions of Log4j-core lower than 2.16.0 may be vulnerable to CVE-2021-45056 as described at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Note: CVE-2021-45056 also appears to be patched in Log4j-core-2.12.2.jar, which may be needed to run with JRE 7.

This Analyses parses results of a filesystem scan executed by the accompanying Task.

Properties reported:

  • CVE-2021-44228 - Scan Results Exist - Indicates the scan has been performed on the affected endpoint.
  • CVE-2021-44228 - Scan Completion Time - Indicates the time the scan completed, if the scan is not still in progress.
  • CVE-2021-44228 - Log4j pathnames - Indicates the file paths where any log4j-core*.jar file has been found
  • CVE-2021-44228 - Log4j potentially vulnerable pathnames - Based on the log4j-core file name, indicates any paths where a version earlier than  2.15.0 may be found
  • CVE-2021-44228 - Log4j path, sha1, and matching known version - For all detected log4j-core-X.jar files, compare the given file to a list of known sha1 hashes and indicate whether the file matches any of the known hashes.  This is useful for older BigFix clients that may lack the sha256 inspector.

The comparison between detected files, and known sha256 / sha1 hashes, can be helpful to indicate whether a given file has been replaced by the corrected 2.15.0 version while keeping an earlier version filename for application compatibility.

Update 12/16/2021 .2:

  • Updated 'potentially vulnerable pathnames' property to match versions via regular expression, the built-in 'as version' cast matched incorrectly on some OS/Platform versions.

Update 12/16/2021:

  • Add hash for Log4j-core-2.12.2.jar
  • Add hash for Log4j-core-2.16.0.jar
  • Include 2.15.0 in the "Potentially Vulnerable" results.
  • Exclude 2.12.2 in the "Potentially Vulnerable" results.

Update 12/13/2021:

* Shorter matching product names for sha256 comparison.

* Add sha1 comparison

* Use 'native file' if available, to avoid Wow64 Redirection on 64-bit Windows

Update 12/13/2021.02:

* Avoid `storage folder of client` in favor of `folder(pathname of parent folder of parent folder of client folder of site "actionsite")` , to handle much older BES Client versions.


Property Details

ID2998668
StatusAlpha - Code that was just developed
TitleDEPRECATED - Vulnerability Scan Results: CVE-2021-44228 Log4j
DomainBESC
KeywordsCVE, CVE-2021-44228, Log4j, vulnerability, scan
Added by on 12/16/2021 3:19:21 PM
Last Modified by on 12/21/2021 11:22:17 AM
Counters 7537 Views / 147 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

CVE-2021-44228 - Scan Results Exist
Period 6 hours
 
  * Results in a true/false
Show indented relevance
exists files "BPS-Scans/CVE-2021-44228.txt" of folder(pathname of parent folder of parent folder of client folder of site "actionsite")
CVE-2021-44228 - Scan Completion Time
Period 6 hours
 
  * Results in a true/false
Show indented relevance
modification times of files "BPS-Scans/CVE-2021-44228.txt" whose ((if exists property "locked lines" then (locked line (number of locked lines of it) of it) else (line (number of lines of it) of it)) starts with "SCAN_COMPLETE") of folder(pathname of parent folder of parent folder of client folder of site "actionsite")
CVE-2021-44228 - Log4j pathnames
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(if exists property "locked lines" then locked lines of it else lines of it) whose (it does not start with "SCAN_COMPLETE" and it as lowercase does not end with "-javadoc.jar" and it as lowercase does not end with "-sources.jar" and it as lowercase does not end with "-tests.jar") of files "BPS-Scans/CVE-2021-44228.txt" of folder(pathname of parent folder of parent folder of client folder of site "actionsite")
CVE-2021-44228 - Log4j potentially vulnerable pathnames
Period 6 hours
 
  * Results in a true/false
Show indented relevance
it whose (not exists (first matches (regex("[[:digit:]]{1,3}(\.[[:digit:]]{1,3}){1,3}")) of it) whose (it as version >= version "2.16.0" or it as version = version "2.12.2")) of (it as string) of (if exists property "locked lines" then locked lines of it else lines of it) whose (it does not start with "SCAN_COMPLETE" and it as lowercase does not end with "-javadoc.jar" and it as lowercase does not end with "-sources.jar" and it as lowercase does not end with "-tests.jar") of files "BPS-Scans/CVE-2021-44228.txt" of folder(pathname of parent folder of parent folder of client folder of site "actionsite")
CVE-2021-44228 - Log4j path, sha1, and matching known version
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(item 0 of item 0 of it, item 1 of item 0 of it, unique value of following text of first ":" of item 1 of (item 1 of item 0 of it, elements of item 1 of it) whose (item 0 of it = preceding text of first ":" of item 1 of it) | "Not Matched") of ((it, sha1 of (if exists property "native file" then native file (it) else file(it)) | "Not Found") of (it as string) of (if exists property "locked lines" then locked lines of it else lines of it) whose (it does not start with "SCAN_COMPLETE" and it as lowercase does not end with "-javadoc.jar" and it as lowercase does not end with "-sources.jar" and it as lowercase does not end with "-tests.jar") of files "BPS-Scans/CVE-2021-44228.txt" of folder(pathname of parent folder of parent folder of client folder of site "actionsite"), set of ("685125b7b8bbd7c2f58259937090ac2ae9bcb129:log4j-core-2.0-alpha2.jar"; "7058796a0aa49ea21ea2cc7bf9dece0d3b8942ae:log4j-core-2.0-beta1.jar"; "b5f9c15e1fb18d84193ac10e4bfb88af1724f5cd:log4j-core-2.0-beta2.jar"; "80b690d982b030fb2f04854407744ff44e0b72ea:log4j-core-2.0-beta3.jar"; "8f87799c2bd24c120812ed3d5271b743cfc999b5:log4j-core-2.0-beta4.jar"; "b853dec96e815981280fb9a1cc08332a6ed946f9:log4j-core-2.0-beta5.jar"; "1fb514bfbec10815d68953ed2fc4dd8c98ee245f:log4j-core-2.0-beta6.jar"; "a727fe8e718b18d541f67077c99b2ca129f77065:log4j-core-2.0-beta7.jar"; "f6ed9c56c8d58c4670059ddf417df23c9a78ff30:log4j-core-2.0-beta8.jar"; "678861ba1b2e1fccb594bb0ca03114bb05da9695:log4j-core-2.0-beta9.jar"; "7621fe28ce0122d96006bdb56c8e2cfb2a3afb92:log4j-core-2.0.jar"; "4363cdf913a584fe8fa72cf4c0eaae181ef7d1eb:log4j-core-2.0-rc1.jar"; "2e8d52acfc8c2bbbaa7baf9f3678826c354f5405:log4j-core-2.0-rc2.jar"; "895130076efaf6dcafb741ed7e97f2d346903708:log4j-core-2.0.1.jar"; "13521c5364501478e28c77a7f86b90b6ed5dbb77:log4j-core-2.0.2.jar"; "31823dcde108f2ea4a5801d1acc77869d7696533:log4j-core-2.1.jar"; "c707664e020218f8529b9a5e55016ee15f0f82ac:log4j-core-2.2.jar"; "58a3e964db5307e30650817c5daac1e8c8ede648:log4j-core-2.3.jar"; "0d99532ba3603f27bebf4cdd3653feb0e0b84cf6:log4j-core-2.4.jar"; "a5334910f90944575147fd1c1aef9f407c24db99:log4j-core-2.4.1.jar"; "7ed845de1dfe070d43511fab321784e6c4118398:log4j-core-2.5.jar"; "a7cb258b9c36f49c148834a3a35b53fe73c28777:log4j-core-2.6.jar"; "2b557bf1023c3a3a0f7f200fafcd7641b89cbb83:log4j-core-2.6.1.jar"; "00a91369f655eb1639c6aece5c5eb5108db18306:log4j-core-2.6.2.jar"; "a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a:log4j-core-2.7.jar"; "2be463a710be42bb6b4831b980f0d270b98ff233:log4j-core-2.8.jar"; "4ac28ff2f1ddf05dae3043a190451e8c46b73c31:log4j-core-2.8.1.jar"; "979fc0cf8460302e4ffbfe38c1b66a99450b0bb7:log4j-core-2.8.2.jar"; "ff857555cec4635c272286a260dbd7979c89d5b8:log4j-core-2.9.0.jar"; "8c59f9db4e5eebf7e99aa0ed2eb129bd5d8ef4f8:log4j-core-2.9.1.jar"; "989bbd2b84eba4b88a4b2a889393fac5b297e1df:log4j-core-2.10.0.jar"; "3b1c23b9117786e23cc3be6224b484d77c50c1f2:log4j-core-2.11.0.jar"; "38b9c3790c99cef205a890db876c89fd9238706c:log4j-core-2.11.1.jar"; "5bcfefcd7474c2f439576a1839ea0aeeec07f3b6:log4j-core-2.11.2.jar"; "73fe23297ccf73bad25a04e089d9627f8bf3041f:log4j-core-2.12.0.jar"; "c28f281548582ec68376e66dbde48be24fcdb457:log4j-core-2.12.1.jar"; "89dbadf768390bae08694d183c6fac7745a3714b:log4j-core-2.12.2.jar"; "ef568faca168deee9adbe6f42ca8f4de6ca4557b:log4j-core-2.13.0.jar"; "5eb5ab96f8fc087135ef969ed99c76b64d255d44:log4j-core-2.13.1.jar"; "16f7b2f63b0290281294c2cbc4f26ba32f71de34:log4j-core-2.13.2.jar"; "6556d71742808e4324eabc500bd7f2cc8c004440:log4j-core-2.13.3.jar"; "94bc1813a537b3b5c04f9b4adead3c434f364a70:log4j-core-2.14.0.jar"; "c476bd8acb6e7e55f14195a88fa8802687fcf542:log4j-core-2.14.1.jar"; "e7dc681a6da4f2f203dccd1068a1ea090f67a057:log4j-core-2.0-alpha1.jar";"9bd89149d5083a2a3ab64dcc88b0227da14152ec:log4j-core-2.15.0.jar";"539a445388aee52108700f26d9644989e7916e7c:log4j-core-2.16.0.jar"))

Relevance

Used in 33 fixlets and 17 analyses   * Results in a true/false
Show indented relevance
if exists property "in proxy agent context" then not in proxy agent context else true

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
AlexAymonier -
Jason, just want to say a huge thank you. This and the scan have really really helped us out this weekend. Can't thank you enough for my Wintel and Unix team :-) Merry Christmas sunshine
mgelmer02 -
For 'quasi-false positives' where vulnerable files have been deleted but still reside in the Windows 'Recycle Bin', I added this recycle bin check to CVE-2021-44228 - Log4j potentially vulnerable pathnames: it does not start with "SCAN_COMPLETE" and it as lowercase does not contain "\$recycle.bin\"
sistrete -
Hello If affected files are inside an archive like war , tar ecc .. how can i search for them ?