Vulnerability Scan: Log4j CVE-2021-44228 - superseded
Log In or Register to download the BES file, and more.

3 Votes

Versioning - This is an older version.

1Vulnerability Scan: Log4j CVE-2021-4422812/10/2021 9:53:10 AM
2Vulnerability Scan: Log4j CVE-2021-4422812/10/2021 5:08:44 PM
3Vulnerability Scan: Log4j CVE-2021-4422812/13/2021 7:45:21 AM
4DEPRECATED - Vulnerability Scan: Log4j CVE-2021-4422812/14/2021 9:37:36 AM

Description

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

This Task will scan local filesystems for file names matching Log4j JAR files and save the results to {pathname of storage folder of client}\BPS-Scans\CVE-2021-44228.txt

Those results will be parsed by an Analysis to flag whether the vulernable versions, i.e. earlier than 2.15.0, appear to be present.

 


Property Details

ID26889
TitleVulnerability Scan: Log4j CVE-2021-44228
DomainBESC
SourceInternal
Source Release Date12/14/2020 12:00:00 AM
KeywordsCVE, CVE-2021-44228, Log4j, vulnerability, scan
Is TaskTrue
Added by on 12/10/2021 5:08:44 PM
Last Modified by on 12/10/2021 5:08:44 PM
Counters 3173 Views / 190 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 30 fixlets and 16 analyses   * Results in a true/false
Show indented relevance
if exists property "in proxy agent context" then not in proxy agent context else true

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
parameter "FilePattern"="log4j-core*.jar"

if {not exists folder "BPS-Scans" of storage folder of client}
    folder create "{pathname of storage folder of client}/BPS-Scans"
endif


delete __createfile
if {windows of operating system}
    parameter "ListFile"="{pathname of storage folder of client}\BPS-Scans\CVE-2021-44228.txt"
    createfile until EOF_EOF_EOF
{concatenation "%0d%0a" of ("dir /s /b " & it & "\" & parameter "FilePattern" & " >> %22" & (parameter "ListFile") & "%22 2>NUL") of names of drives whose (type of it = "DRIVE_FIXED")}
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF

    delete run_scan.cmd
    move __createfile run_scan.cmd
    delete "{parameter "ListFile"}"


    action uses wow64 redirection false
//the scan will continue to run in the background
    runhidden cmd.exe /c run_scan.cmd

elseif {mac of operating system}
    parameter "ListFile"="{pathname of storage folder of client}/BPS-Scans/CVE-2021-44228.txt"
    createfile until EOF_EOF_EOF
#!/bin/sh
find / -not -fstype nfs -name {parameter "FilePattern"} > "{parameter "ListFile"}"
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF

    delete run_scan.sh
    move __createfile run_scan.sh
    wait chmod +x ./run_scan.sh
    parameter "next"="true"
// Clear any previous scan output
    delete "{parameter "ListFile" of action}"
    
    run /bin/sh -c ./run_scan.sh


else
    parameter "ListFile"="{pathname of storage folder of client}/BPS-Scans/CVE-2021-44228.txt"
    createfile until EOF_EOF_EOF
#!/bin/sh
find / -not -fstype nfs -name {parameter "FilePattern"} > "{parameter "ListFile"}"
echo SCAN_COMPLETE >> "{parameter "ListFile"}"
EOF_EOF_EOF

    delete run_scan.sh
    move __createfile run_scan.sh
    wait chmod +x ./run_scan.sh
    parameter "next"="true"
// Clear any previous scan output
    delete "{parameter "ListFile" of action}"
    
    run /bin/sh -c ./run_scan.sh

endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to review this task in the bigfix.me Content Database.
Script Type URL
https://bigfix.me/cdb/fixlet/26728
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
dwilson -
This KB is for remediation for BF apps. https://support.hcltechsw.com/csm/en?id=kb_article&sysparm_article=KB0095486
myee17 -
Anyone have a remediation fix for when vulnerabilities are found?
dwilson -
Does this fixlet only find Log4j-core files? Doesn't seem to identify Log4j-api files.
srimurthy82 -
I have tested this in our Environment, seems to be an awesome Task. Got the required Results, Thank you so much !
bigfixusermatthew -
Thanks for the help Jason
JasonWalker -
Updated the scan to include log4j-core.jar files that do not specify version as part of the filename.