Menu
How can I find vulnerable Log4j programs (CVE-2021-44228) on a Windows 10 PC and how can I provide first aid when I cannot update to a fixed Log4j version?
992
We also use a log inspection rule to detect the vulnerability. The log inspection rule 1011241 – Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) looks for JNDI payloads in the access logs, with the default path being /var/log/*/access.
Check Log4j Version For that, we need to make use of the “apt list” instruction on the shell along with the name of a library as “liblog4j2-java” as shown in the image below. The output is showing “Listing… Done”, and after that, it is showing the installed version of Log4j2 in our system i.e., version “2.17. 1-0.20.
Reload4j 1.2.18.0 has been released. It is as a replacement for log4j version 1.2.17 with fixes for CVE-2021-4104 and CVE-2019-17571. For versions 1.x.x of log4j you are vulnerable only if you are using a JMS Appender in your log4j configuration. Description of the vulnerability and possible mitigations of cve-2021-44228 are explained here.
Search For Files On The File System Searching the file by name ‘ Log4j’ in the file system is the simplest way to detect CVE-2021-44228 Log4Shell Vulnerability. This is a less accurate method of detection. However it is the most convenient and easiest way. 2. Scan The Package
But this one seems to be most thorough in its detection. log4j-vuln-scanner is a Go-based tool, with binary releases for x86_64 Windows, Linux, Mac OS X, that searches for vulnerable Log4j instances. It finds Log4j also within other JAR file and WAR files and it provides information about the found Log4j versions.
IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). The IBM SPSS Statistics Development team produced interim fixes for our currently supported versions, updating the Log4j .jar files to version 2.17.1.
It is possible to delete the JndiLookup class from log4j-core JAR files in order to provide first aid in the context of the Log4j security disaster (CVE-2021-44228).
Delete the JndiLookup classes, if you cannot update the Java application to a version with a fixed Log4j version, as it is suggested by Log4j themselves.
So this is just a first-aid quick fix until you get application updates! The following PowerShell script will search all drives for log4j-core*.jar files. In any found one, we will delete the JndiLookup class from it, with the "zip -q -d" command.
On Windows 10 PCs, there is PowerShell for scripting. Thus, create an anyname.ps1 file with the following content:
# Ensure we can run everything
Set-ExecutionPolicy Bypass -Scope Process -Force
# Escape characters in PowerShell: https://ss64.com/ps/syntax-esc.html
Write-Host "Start iterating drives..."
$volumes = Get-WmiObject win32_volume -filter "drivetype=3"
foreach ($volume in $volumes)
{
$driveletter = $volume.driveletter # e.g. C:
if ($driveletter -ne $null)
{
$drivename = $volume.name # e.g. C:\
Write-Host "`n== Checking $driveletter... =="
# Find log4j-core*.jar files, directly
# and remove org/apache/logging/log4j/core/lookup/JndiLookup.class
# with zip.exe -q -d command.
# Use unzip -l | findstr JndiLookup as paranoia check.
Write-Host "== Find log4j-core*.jar files... =="
Get-ChildItem -Path $drivename -Filter log4j-core*.jar -Recurse -ErrorAction SilentlyContinue | % {
Write-Host "== $($_.FullName) =="
Write-Host "> zip.exe -q -d `"$($_.FullName)`" `"org/apache/logging/log4j/core/lookup/JndiLookup.class`""
zip.exe -q -d "$($_.FullName)" "org/apache/logging/log4j/core/lookup/JndiLookup.class"
Write-Host "> unzip.exe -l `"$($_.FullName)`" | findstr JndiLookup"
unzip.exe -l "$($_.FullName)" | findstr JndiLookup
Write-Host "== END =="
}
# Find JndiLookup.class in uncompressed directories on the file-system (aka *.class)
Write-Host "== Find uncompressed JndiLookup.class files... =="
Get-ChildItem -Path $drivename -Filter JndiLookup.class -Recurse -ErrorAction SilentlyContinue | % {
Write-Host "== $($_.FullName) =="
Write-Host "> Remove-Item -Path `"$($_.FullName)`" -Force"
Remove-Item -Path $_.FullName -Force
Write-Host "== END =="
}
}
}
# Find embedded log4j-core*.jar files ("Java Über JARs" or shaded JARs, i.e., JARs in other JAR/WAR/etc.)
Write-Host "== Find log4j-core*.jar files that are embedded into other archives... =="
Write-Host "TODO: Not supported!"
Write-Host "INSTEAD APPLY: https://github.com/mergebase/log4j-detector"
# Find log4j in docker containers
Write-Host "== Find log4j in docker containers... =="
Write-Host "TODO: Not supported!"
Write-Host "READ: https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/"
Write-Host "THUS, APPLY: docker scan"
Write-Host "Press ENTER to continue..."
cmd /c Pause | Out-Null
Now you can execute this .ps1 file.
An easy way to execute the .ps1 file: create an anyname.cmd file besides the identically named .ps1 file with the following content:
powershell.exe -ExecutionPolicy ByPass -noprofile -command "&{start-process powershell -ArgumentList '-ExecutionPolicy ByPass -noprofile -NoExit -file \"%~dpn0.ps1\"' -verb RunAs}"
You can double-click the cmd. It will execute the .ps1 script with elevated privileges.
There have been several attempted fixes by log4j (versions 2.15, 2.16 and now 2.17). Possibly, the "first-aid" removal of JndiLookup class (from any log4j JARs, possibly embedded, i.e., "Java Über JARs" or shaded JARs, or in uncompressed directories on the file-system, aka *.class) should actually be your preferred present and future option.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
