Help

Detecting vulnerable log4j jars on workstations

bmack99
Contributor III

‎12-16-2021 02:10 PM - edited ‎12-16-2021 02:10 PM

Ok i have found this: https://github.com/hillu/local-log4j-vuln-scanner/releases

The binary can be renamed as a .sh script and run local on a workstation and works great for vulnerable log4j jar file detection.

I want to be able to utilize this with an extension attribute and a smart group to see what machines have vulnerable log4j jars.

Can anyone provide details on how to make this happen? 

0 Kudos
4 REPLIES 4

swapple
Contributor III

Posted on ‎12-16-2021 08:05 PM

is the source code available anywhere??

0 Kudos

bmack99
Contributor III
In response to swapple

Posted on ‎12-16-2021 08:07 PM

Yes it’s in that link, but it’s written in “go” 

it doesn’t appear to be in bash or shell format

0 Kudos

alexjdale
Valued Contributor III

Posted on ‎12-17-2021 09:44 AM

We're using a different scan tool, and I don't really have any code to share since it's designed around that tool's output, but I was able to capture json output and parse it with some effort.  I'm downloading the tool, running a scan, and putting the json output into an EA for deeper analysis in our dashboards with reports pulled using the API.  Then my script parses the json and spits out three EAs: scan date, number of unique hits, and a list of unique file paths.  I'm grabbing raw data for other people to use and processing it a bit for my own use (like knowing when to rescan a device).

 

The json data is pretty large for some system but I talked to Jamf and they didn't have any concerns about  shoving a lot of data into an EA.  So far it's working pretty well.

0 Kudos

swapple
Contributor III

‎12-18-2021 01:07 PM - edited ‎12-20-2021 10:05 AM

We have been looking at  https://github.com/lunasec-io/lunasec/releases  scanner.  Has anyone else tried it and have a script to use Jamf to report back if issues are found??

Some Sample output from the divd scanner

 

[!][ ] found found in /Applications/Transporter.app/Contents/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3  
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e (identified as version(s): 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1)
       └───────> found in /Applications/Transporter.app/Contents/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3 
[!][ ] found found in /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3  
[!][ ] found org/apache/logging/log4j/core/lookup/JndiLookup.class with hash 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e (identified as version(s): 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1)
       └───────> found in /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar hash=d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc version=2.11.2 vulnerabilities=CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 max-score=9.3 
[ ] Checked 701250 files in 00h:06m:10s, average rate is: 113634 files/min. (still running)

 

 

 

0 Kudos