CVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows)
Log In or Register to download the BES file, and more.

0 Votes

Description

Replaces all Log4j-core-2.x.jar instances found by the Scanner task.

This Task requires a prior execution of the Scan task, currently linked at https://bigfix.me/fixlet/details/26897 (be sure to check for the latest version).

Where the Scan Task found log4j-core.2.x.jar, this Task will rename that file to log4j-core-2.x.jar-disabled, and replace the original file with log4j-core-2.16.0.jar.

The original filename will be retained for better compatibility with existing configuration files.

This operation does carry some risk, as it is difficult to predict how replacing the JAR file might affect the larger application.  No warranty expressed, use at your own risk.

 


Property Details

ID26901
StatusAlpha - Code that was just developed
TitleCVE-2021-44228 Log4j - Replace log4j-core-2.x.jar with log4j-core-2.16.0.jar (Windows)
DomainBESC
SourceInternal
Source Release Date12/10/2021 12:00:00 AM
KeywordsCVE, CVE-2021-44228, Log4j, vulnerability, environment, windows
Added by on 12/15/2021 9:43:06 AM
Last Modified by on 12/15/2021 9:43:06 AM
Counters 780 Views / 36 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 2 fixlets   * Results in a true/false
Show indented relevance
if( name of operating system starts with "Win" ) then platform id of operating system != 3 else true
Used in 13 fixlets and 16 analyses   * Results in a true/false
Show indented relevance
windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true)
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists files "BPS-Scans/CVE-2021-44228.txt" of parent folder of parent folder of client folder of site "actionsite"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//log4j-core-2.16.0.jar properties:
// sha1 539a445388aee52108700f26d9644989e7916e7c
// size 1789565
// sha256 085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869


//If the Action fails here, the previous scan may not have executed or may still be in progress
continue if {exists lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client}

//Check scan results to see whether any vulnerable log4j-core-2.x.jar files are found, before asking to download the new version
if {exists files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c") }

download as unzip.exe http://software.bigfix.com/download/redist/unzip-5.52.exe
continue if {(size of it = 167936 and sha1 of it ="e1652b058195db3f5f754b7ab430652ae04a50b8") of file "unzip.exe" of folder "__Download"}

download as apache-log4j-2.16.0-bin.zip https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip
continue if {(size of it = 14224771 and sha1 of it ="26230aca81e50c74c3d7bb19163ea0f1e3ad4596") of file "apache-log4j-2.16.0-bin.zip" of folder "__Download"}

waithidden __Download\unzip.exe __Download\apache-log4j-2.16.0-bin.zip -d __Download

delete __createfile
createfile until EOF_EOF_EOF
REM Preserve existing JAR files
{concatenation "%0d%0a" of ("COPY /Y %22" & it & "%22 %22" & it & "-disabled%22") of (pathname of it) of files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c")}

REM Overwrite with log4j-core-2.16.0.jar
{concatenation "%0d%0a" of ("COPY /Y %22__Download\apache-log4j-2.16.0-bin\log4j-core-2.16.0.jar%22 %22" & it & "%22") of (pathname of it) of files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c")}

EOF_EOF_EOF

delete replace_log4j.cmd
move __createfile replace_log4j.cmd

action uses wow64 redirection {not x64 of operating system}
waithidden cmd.exe /c replace_log4j.cmd

// Check success - no un-fixed log4j-core-2.x.jar files remain. Their sha hashes should be updated to reflect the 2.16.0 version
continue if {exists lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client AND not exists files( lines of files "CVE-2021-44228.txt" of folders "BPS-Scans" of parent folder of client) whose (name of it as lowercase starts with "log4j-core-2." and name of it as lowercase does not end with "-javadoc.jar" and name of it as lowercase does not end with "-sources.jar" and name of it as lowercase does not end with "-tests.jar" and name of it as version < version "2.16.0" and size of it != 1789565 and sha1 of it != "539a445388aee52108700f26d9644989e7916e7c") }
action requires restart "log4j_file_replacement"

endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
singchung -
The url to download the log4j 2.16 files is no longer valid as Apache had replace the files with 2.17 ones. The fixlet needs to be updated to download 2.17 files.
LThaoCityofSac -
Great fixlet Jason! I tested it and have one question, some of our server applications uses the log4j-core jar without the version in the name. From my test, the fixlet will only replace log4j-core-2.x.jar files as intended. Any suggestion on how to modify the fixlet to also replace files with the name "log4j-core.jar"?