Vulnerability Scan: Log4j CVE-2021-44228 - superseded
3 Votes |
Versioning - This is an older version.
1 | Vulnerability Scan: Log4j CVE-2021-44228 | 12/10/2021 9:53:10 AM |
2 | Vulnerability Scan: Log4j CVE-2021-44228 | 12/10/2021 5:08:44 PM |
3 | Vulnerability Scan: Log4j CVE-2021-44228 | 12/13/2021 7:45:21 AM |
4 | DEPRECATED - Vulnerability Scan: Log4j CVE-2021-44228 | 12/14/2021 9:37:36 AM |
Description
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
This Task will scan local filesystems for file names matching Log4j JAR files and save the results to {pathname of storage folder of client}\BPS-Scans\CVE-2021-44228.txt
Those results will be parsed by an Analysis to flag whether the vulernable versions, i.e. earlier than 2.15.0, appear to be present.
Property Details
26889 | |
Vulnerability Scan: Log4j CVE-2021-44228 | |
BESC | |
Internal | |
12/14/2020 12:00:00 AM | |
CVE, CVE-2021-44228, Log4j, vulnerability, scan | |
True | |
JasonWalker on 12/10/2021 5:08:44 PM | |
JasonWalker on 12/10/2021 5:08:44 PM | |
3636 Views / 190 Downloads | |
![]() ![]() ![]() ![]() ![]() |
Relevance

Actions
Action 1 (default)
parameter "FilePattern"="log4j-core*.jar"
if {not exists folder "BPS-Scans" of storage folder of client}
folder create "{pathname of storage folder of client}/BPS-Scans"
endif
delete __createfile
if {windows of operating system}
parameter "ListFile"="{pathname of storage folder of client}\BPS-Scans\CVE-2021-44228.txt"
createfile until EOF_EOF_EOF
{concatenation "%0d%0a" of ("dir /s /b " & it & "\" & parameter "FilePattern" & " >> %22" & (parameter "ListFile") & "%22 2>NUL") of names of drives whose (type of it = "DRIVE_FIXED")}
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF
delete run_scan.cmd
move __createfile run_scan.cmd
delete "{parameter "ListFile"}"
action uses wow64 redirection false
//the scan will continue to run in the background
runhidden cmd.exe /c run_scan.cmd
elseif {mac of operating system}
parameter "ListFile"="{pathname of storage folder of client}/BPS-Scans/CVE-2021-44228.txt"
createfile until EOF_EOF_EOF
#!/bin/sh
find / -not -fstype nfs -name {parameter "FilePattern"} > "{parameter "ListFile"}"
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF
delete run_scan.sh
move __createfile run_scan.sh
wait chmod +x ./run_scan.sh
parameter "next"="true"
// Clear any previous scan output
delete "{parameter "ListFile" of action}"
run /bin/sh -c ./run_scan.sh
else
parameter "ListFile"="{pathname of storage folder of client}/BPS-Scans/CVE-2021-44228.txt"
createfile until EOF_EOF_EOF
#!/bin/sh
find / -not -fstype nfs -name {parameter "FilePattern"} > "{parameter "ListFile"}"
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF
delete run_scan.sh
move __createfile run_scan.sh
wait chmod +x ./run_scan.sh
parameter "next"="true"
// Clear any previous scan output
delete "{parameter "ListFile" of action}"
run /bin/sh -c ./run_scan.sh
endif
This action will be considered successful when the applicability relevance evaluates to false.
Action 2
https://bigfix.me/cdb/fixlet/26728
Sharing
Social Media: |
Comments
![]() |
|
This KB is for remediation for BF apps. https://support.hcltechsw.com/csm/en?id=kb_article&sysparm_article=KB0095486 |
![]() |
|
Anyone have a remediation fix for when vulnerabilities are found? |
![]() |
|
Does this fixlet only find Log4j-core files? Doesn't seem to identify Log4j-api files. |
![]() |
|
I have tested this in our Environment, seems to be an awesome Task. Got the required Results, Thank you so much ! |
![]() |
|
Thanks for the help Jason |
![]() |
|
Updated the scan to include log4j-core.jar files that do not specify version as part of the filename. |