+9Ok i have found this: https://github.com/hillu/local-log4j-vuln-scanner/releases
The binary can be renamed as a .sh script and run local on a workstation and works great for vulnerable log4j jar file detection.
I want to be able to utilize this with an extension attribute and a smart group to see what machines have vulnerable log4j jars.
Can anyone provide details on how to make this happen?
+9is the source code available anywhere??
Yes it’s in that link, but it’s written in “go”
it doesn’t appear to be in bash or shell format
+18We're using a different scan tool, and I don't really have any code to share since it's designed around that tool's output, but I was able to capture json output and parse it with some effort. I'm downloading the tool, running a scan, and putting the json output into an EA for deeper analysis in our dashboards with reports pulled using the API. Then my script parses the json and spits out three EAs: scan date, number of unique hits, and a list of unique file paths. I'm grabbing raw data for other people to use and processing it a bit for my own use (like knowing when to rescan a device).
The json data is pretty large for some system but I talked to Jamf and they didn't have any concerns about shoving a lot of data into an EA. So far it's working pretty well.
+11We have been looking at https://github.com/lunasec-io/lunasec/releases scanner. Has anyone else tried it and have a script to use Jamf to report back if issues are found??
Some Sample output from the divd scanner
[!][ ] found found in /Applications/Transporter.app/Contents/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e (identified as version(s): 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1)
└───────> found in /Applications/Transporter.app/Contents/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3
[!][ ] found found in /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e (identified as version(s): 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1)
└───────> found in /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3
[ ] Checked 701250 files in 00h:06m:10s, average rate is: 113634 files/min. (still running)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.