Log4j Vulnerability: Scanning 3rd Party Apps

michaelhusar
Contributor II

Has anyone used tools to scan for Log4j vulnerable apps like https://github.com/hillu/local-log4j-vuln-scanner/releases or even made an EA for detection ?  

13 REPLIES 13

Fluffy
Contributor III

The only mention I have seen for an EA is in the second reply here:

https://community.jamf.com/t5/jamf-pro/log4j-vulnerability/td-p/254027

Have not used it myself.

michaelhusar
Contributor II

Thank you!
Today we distributed the scanner an made an EA

#!/bin/zsh

file_location="/Users/Shared/local-log4j-vuln-scanner"

if [[ -e "$file_location" ]];then
/Users/Shared/local-log4j-vuln-scanner -ignore-v1 -quiet -log /Users/Shared/logFourj.log /
scan=$(/Users/Shared/local-log4j-vuln-scanner -quiet -ignore-v1 /Applications)
echo "<result>$scan</result>"
else
echo "<result>Scanner missing</result>"
fi

Does Java need to be installed on each endpoint for this scanner to function? I am looking for an EA to scan an entire system for any .jar files with log4j in the filename, but something that doesn't require java to be installed would be helpful

That was also very important for us. 
No java runtime needed if you use the binary of https://github.com/hillu/local-log4j-vuln-scanner/releases
We just put the binary on every machine. (Remove the quarantine bit before making a pkg in composer.) 
If you want to scan the whole machine: We added excludes to prevent scanning of connected network shares. 

Thank you. This is very helpful. I'm sorry for sounding foolish here, but would you be able to provide a step by step of how you implemented this?

I'm guessing:

1) package the binary in composer(what directory does it need to be deployed to)

2) invoke the binary via an extension attribute?

3) the output from the scanner run is what the EA collects and we could then utilize a smart group to display any non NULL values?

 

Thanks for the help.

Did this end up working for you @bmack99 I'm still figuring out how to even get this thing into Jamf.

i was never able to figure out how to properly get this to run. For instance the binary, if i rename with a .sh and chmod to make it executable i can get it to run locally, but haven't been able to figure out how to incorporate in an EA either. 

@michaelhusar - can you elaborate at all on your process for those of us struggling? Ideally we are looking for something that will do a full scan and report back vulnerable .jars and .wars via an EA or something that can be utilized in a Smart Group to see a clean report.

@michaelhusar how did you get this working?  Been trying to figure this out but using these kinds of tools is still a bit new to me.

Sorry for the delay!
Fist Things first: Happy New Year!
What I did:
1) Click on https://github.com/hillu/local-log4j-vuln-scanner/releases
2) Download local-log4j-vuln-scanner.macosx
3) sudo xattr -d -r com.apple.quarantine /Users/michael/Downloads/local-log4j-vuln-scanner.macosx
4) Pkg with composer - I put it in /Useres/Shared/
5) Distribute to (all) machines via JAMF policy
6) Yes the EA invokes - actually a full log and a result of the /Applications folder to the EA
if [[ -e "$file_location" ]];then
/Users/Shared/local-log4j-vuln-scanner -ignore-v1 -quiet -log /Users/Shared/logFourj.log /
scan=$(/Users/Shared/local-log4j-vuln-scanner -quiet -ignore-v1 /Applications)
echo "<result>$scan</result>"
7) We created an advances computer search with the EA and downloaded a report to analyse it
😎We "cleaned" the report 
9) Probably have to work on the EA result to get it cleaner from the beginning
Hope that helps

daniel_ross
Contributor III

I forgot where we found this one (will give credit as soon as I do) and it's been working for us.

#!/bin/sh 

log4j=$(lsof | grep log4j)

if [ -z "$log4j" ] 
	then
    	echo "<result>Not Found</result>"
	else
    	echo "<result>$log4j</result>"
fi

exit 0

 

Hey Daniel. Yeah that works for us too for open processes at the time of run. We are looking for a full scan of the drive.

Oh man that would be a good one to find.  Wouldn't most AV software now be looking for that?  I might need to reach out to CrowdStrike support to see if they might spot that now.

donmontalvo
Esteemed Contributor III

FWIW was recommended to me to use this tool, created a report. Tool spits out a TXT, and then an EA to scoop the returns for vulnerable instances of log4j.

https://github.com/mergebase/log4j-detector

--
https://donmontalvo.com