Fixlet | CVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows)

CVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows)
Log In or Register to download the BES file, and more.

0 Votes

Description

Replaces all Log4j-core-2.x.jar instances found by the Scanner task.

This Task requires a prior execution of the Scan task, currently linked at https://bigfix.me/fixlet/details/26897 (be sure to check for the latest version).

Where the Scan Task found log4j-core.2.x.jar, this Task will rename that file to log4j-core-2.x.jar-disabled, and replace the original file with log4j-core-2.16.0.jar.

The original filename will be retained for better compatibility with existing configuration files.

This operation does carry some risk, as it is difficult to predict how replacing the JAR file might affect the larger application. No warranty expressed, use at your own risk.

Property Details

ID	26901
Status	Alpha - Code that was just developed
Title	CVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows)
Domain	BESC
Source	Internal
Source Release Date	12/10/2021 12:00:00 AM
Keywords	CVE, CVE-2021-44228, Log4j, vulnerability, environment, windows
Added by	JasonWalker on 12/15/2021 9:43:06 AM
Last Modified by	JasonWalker on 12/15/2021 9:43:06 AM
Counters	4017 Views / 42 Downloads
User Rating	* Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Relevance 932

Used in 2 fixlets

* Results in a true/false

if( name of operating system starts with "Win" ) then platform id of operating system != 3 else true

Relevance 3021697

Used in 20 fixlets and 16 analyses

* Results in a true/false

windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true)

Relevance 3023342

Used in 1 fixlet

* Results in a true/false

exists files "BPS-Scans/CVE-2021-44228.txt" of parent folder of parent folder of client folder of site "actionsite"

Actions

Action 1 (default)

Action Link Click here to deploy this action.

Script Type BigFix Action Script

//log4j-core-2.16.0.jar properties:
// sha1 539a445388aee52108700f26d9644989e7916e7c
// size 1789565
// sha256 085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869


//If the Action fails here, the previous scan may not have executed or may still be in progress
continue if {exists lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client}

//Check scan results to see whether any vulnerable log4j-core-2.x.jar files are found, before asking to download the new version
if {exists files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c") }

download as unzip.exe http://software.bigfix.com/download/redist/unzip-5.52.exe
continue if {(size of it = 167936 and sha1 of it ="e1652b058195db3f5f754b7ab430652ae04a50b8") of file "unzip.exe" of folder "__Download"}

download as apache-log4j-2.16.0-bin.zip https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip
continue if {(size of it = 14224771 and sha1 of it ="26230aca81e50c74c3d7bb19163ea0f1e3ad4596") of file "apache-log4j-2.16.0-bin.zip" of folder "__Download"}

waithidden __Download\unzip.exe __Download\apache-log4j-2.16.0-bin.zip -d __Download

delete __createfile
createfile until EOF_EOF_EOF
REM Preserve existing JAR files
{concatenation "%0d%0a" of ("COPY /Y %22" & it & "%22 %22" & it & "-disabled%22") of (pathname of it) of files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c")}

REM Overwrite with log4j-core-2.16.0.jar
{concatenation "%0d%0a" of ("COPY /Y %22__Download\apache-log4j-2.16.0-bin\log4j-core-2.16.0.jar%22 %22" & it & "%22") of (pathname of it) of files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c")}

EOF_EOF_EOF

delete replace_log4j.cmd
move __createfile replace_log4j.cmd

action uses wow64 redirection {not x64 of operating system}
waithidden cmd.exe /c replace_log4j.cmd

// Check success - no un-fixed log4j-core-2.x.jar files remain.  Their sha hashes should be updated to reflect the 2.16.0 version
continue if {exists lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client AND not exists files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c") }
action requires restart "log4j_file_replacement"

endif

Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Sharing

Social Media:

Comments

	singchung - 12/20/2021 4:58:47 AM
	The url to download the log4j 2.16 files is no longer valid as Apache had replace the files with 2.17 ones. The fixlet needs to be updated to download 2.17 files.

	LThaoCityofSac - 12/15/2021 3:39:55 PM
	Great fixlet Jason! I tested it and have one question, some of our server applications uses the log4j-core jar without the version in the name. From my test, the fixlet will only replace log4j-core-2.x.jar files as intended. Any suggestion on how to modify the fixlet to also replace files with the name "log4j-core.jar"?

Search for:	Relevance	Fixlets/Tasks
	Analyses	BFI Signatures
	Dashboard/Wizard

Title	Keywords	Description
Relevance	Domain	ActionScript
Mime	Signature Content	(clear all)


Content Search Share Learn Projects	Utilities View SCM Scripts Base64 Converter Shell to Action Script	About About Us Tour FAQ Terms Contact Us	BigFix Resources Download BigFix Support Forum Github/Bigfix

CVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows) Log In or Register to download the BES file, and more.

Description

Property Details

Relevance

Actions

Action 1 (default)

Sharing

Comments

Content

Utilities

About

BigFix Resources

CVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows)
Log In or Register to download the BES file, and more.