Vulnerability Scan: Log4j CVE-2021-44228 - superseded
Log In or Register to download the BES file, and more.

3 Votes

Versioning - This is an older version.

1Vulnerability Scan: Log4j CVE-2021-4422812/10/2021 9:53:10 AM
2Vulnerability Scan: Log4j CVE-2021-4422812/10/2021 5:08:44 PM
3Vulnerability Scan: Log4j CVE-2021-4422812/13/2021 7:45:21 AM
4DEPRECATED - Vulnerability Scan: Log4j CVE-2021-4422812/14/2021 9:37:36 AM

Description

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

This Task will scan local filesystems for file names matching Log4j JAR files and save the results to {pathname of storage folder of client}\BPS-Scans\CVE-2021-44228.txt

Those results will be parsed by an Analysis to flag whether the vulernable versions, i.e. earlier than 2.15.0, appear to be present.

 

Property Details

ID26889
TitleVulnerability Scan: Log4j CVE-2021-44228
DomainBESC
SourceInternal
Source Release Date12/14/2020 12:00:00 AM
KeywordsCVE, CVE-2021-44228, Log4j, vulnerability, scan
Is TaskTrue
Added by on 12/10/2021 5:08:44 PM
Last Modified by on 12/10/2021 5:08:44 PM
Counters 3568 Views / 190 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 32 fixlets and 17 analyses   * Results in a true/false
Show indented relevance
if exists property "in proxy agent context" then not in proxy agent context else true

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script 
parameter "FilePattern"="log4j-core*.jar"

if {not exists folder "BPS-Scans" of storage folder of client}
    folder create "{pathname of storage folder of client}/BPS-Scans"
endif


delete __createfile
if {windows of operating system}
    parameter "ListFile"="{pathname of storage folder of client}\BPS-Scans\CVE-2021-44228.txt"
    createfile until EOF_EOF_EOF
{concatenation "%0d%0a" of ("dir /s /b " & it & "\" & parameter "FilePattern" & " >> %22" & (parameter "ListFile") & "%22 2>NUL") of names of drives whose (type of it = "DRIVE_FIXED")} 
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF

    delete run_scan.cmd
    move __createfile run_scan.cmd
    delete "{parameter "ListFile"}"


    action uses wow64 redirection false
	//the scan will continue to run in the background
    runhidden cmd.exe /c run_scan.cmd

elseif {mac of operating system}
    parameter "ListFile"="{pathname of storage folder of client}/BPS-Scans/CVE-2021-44228.txt"
    createfile until EOF_EOF_EOF
#!/bin/sh
find / -not -fstype nfs -name {parameter "FilePattern"} > "{parameter "ListFile"}" 
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF

    delete run_scan.sh
    move __createfile run_scan.sh
    wait chmod +x ./run_scan.sh
    parameter "next"="true"
	// Clear any previous scan output
    delete "{parameter "ListFile" of action}"
    
    run /bin/sh -c ./run_scan.sh


else
    parameter "ListFile"="{pathname of storage folder of client}/BPS-Scans/CVE-2021-44228.txt"
    createfile until EOF_EOF_EOF
#!/bin/sh
find / -not -fstype nfs -name {parameter "FilePattern"} > "{parameter "ListFile"}"
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF

    delete run_scan.sh
    move __createfile run_scan.sh
    wait chmod +x ./run_scan.sh
    parameter "next"="true"
	// Clear any previous scan output
    delete "{parameter "ListFile" of action}"
    
    run /bin/sh -c ./run_scan.sh

endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to review this task in the bigfix.me Content Database.
Script Type URL 
https://bigfix.me/cdb/fixlet/26728

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
dwilson -
This KB is for remediation for BF apps. https://support.hcltechsw.com/csm/en?id=kb_article&sysparm_article=KB0095486
myee17 -
Anyone have a remediation fix for when vulnerabilities are found?
dwilson -
Does this fixlet only find Log4j-core files? Doesn't seem to identify Log4j-api files.
srimurthy82 -
I have tested this in our Environment, seems to be an awesome Task. Got the required Results, Thank you so much !
bigfixusermatthew -
Thanks for the help Jason
JasonWalker -
Updated the scan to include log4j-core.jar files that do not specify version as part of the filename.
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as