/build/static/layout/Breadcrumb_cap_w.png

Log4j - check for vulnarable systems now! (CVE-2021-44228 & CVE-2021-45046)

Endorsed by Nick The Ninja

Hey all, 

if you are looking for a solution to find all you vulnerable systems for the log4j (log4shell) issue, you are at the right place ;) With Quest KACE Systems Management Appliance (SMA) you can check your systems for the java libraries and create a report about all you devices.


Link for the action pack: Download

Kind Regards

Timo

Posted 3 years ago 5514 views

Comments

  • Thank you Timo. Could you share how to use the results in a report? - ZellstoffStendal 3 years ago
    • Hi, you can find a step by step guide and ready to use reports within the customer section. If you have issues logging in to that section make sure that your email is matching your Quest support account.
      https://www.itninja.com/community/customer/file/52
      Kind Regards
      Timo - Timokirch 3 years ago
  • Perfect, thank you Timo.

    Regards,
    Sebastian - ZellstoffStendal 3 years ago
  • Hi Timokirch,

    The Custom Inventory Rule reads C:\Log4J_hits.txt, but what creates the Log4J_hits.txt file? I think I missed a step.

    Thanks! - seanmurphyswlaw 3 years ago
  • Hi Timokirch,

    I found my error. I needed to run the imported Script "Log4J detector Windows" from the Scripting menu in KACE SMA first to generate the Log4J_hits.txt file.

    Thanks again! - seanmurphyswlaw 3 years ago
    • Correct, if you want to change the location or scan another partition you can easily change the script & custom inventory rule. On Linux/MacOS/Raspbian the file will be stored in /tmp/ as Log4j_hits.txt so depending on the OS (for example ubuntu) the file gets cleaned up after a reboot. - Timokirch 3 years ago
  • I assume as the Java jar get updated at github, we just change the script(s) to match the new file & replace the dependancies??

    Also, when I tried to run the script I get this in the script log:
    021-12-20 09:53:29: Alert not enabled, moving to next phase....
    2021-12-20 09:53:34: Sending script log4j.ps1 to client....
    2021-12-20 09:53:38: Script sent
    2021-12-20 09:53:43: Sending dependency log4j-detector-2021.12.20.jar to client....
    2021-12-20 09:53:49: Dependency sent
    2021-12-20 09:53:49: Executing script....
    2021-12-20 10:03:55: The last step timed out after no response from the client. Please try again.
    2021-12-20 10:03:55: Error -1 received while executing script
    2021-12-20 10:03:55: Run As failed: unspecified error=-1

    Also when I tried to run manually on a device all I get is this (and it sits for ever) not sure if it is working or not?
    PS C:\WINDOWS\system32> C:\ProgramData\Quest\KACE\scripts\562\log4j2.ps1
    java : -- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
    At C:\ProgramData\Quest\KACE\scripts\562\log4j2.ps1:1 char:1
    + java -jar C:\ProgramData\Quest\KACE\scripts\562\log4j-detector-2021.1 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (-- github.com/m... take a while).:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

    -- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
    -- Problem: C:\$Recycle.Bin\S-1-5-21-1564419734-2420335311-593277322-500\$IJ8LBP4.zip - Not actually a zip!?! (no magic number)
    -- Problem: C:\$Recycle.Bin\S-1-5-21-1564419734-2420335311-593277322-500\$INV7YMW.zip - Not actually a zip!?! (no magic number)
    -- Problem: C:\$Recycle.Bin\S-1-5-21-1564419734-2420335311-593277322-500\$IYFM98L.zip - Not actually a zip!?! (no magic number)


    Any info would be much appreciated!

    Thanks
    Jason - jct134 3 years ago
    • Hi Jason,
      i have tried just now with the latest .jar file of the github project (2021.12.20). The scripts executed all fine but the results are a looking not solid (at least at the first look my test client reported a 2.16 as vulnerable 2.10 version).

      can you share your script command so that i can check if that is an issue of SMA or of the new jar version?

      Kind Regards
      Timo - Timokirch 3 years ago
      • correcting myself: script is running and reporting the correct findings.

        Tested Version 2021.12.20 - Timokirch 3 years ago
  • I have some machines that do not have Java installed on them. I know they need Java to run the script but when i look at the reports i want to be able to see that the script attempted to run on a machine. Any way to do this? - mathewc 2 years ago
    • I could extend the report to include all machines that does not have Java installed, would that help? - Timokirch 2 years ago
  • Can the script be changed to look for the following file? TWXCreoAnalysisProvider I need to have this one file checked and am not sure this report as it is, is doing that.

    Thanks. - Ted S 2 years ago
    • Hi Ted,
      feel free to check the github page of the script vendor (https://github.com/mergebase/log4j-detector#itemmore). You can configure the script to just look at a specific path or enable verbose logging. So you could check if you file was checked.

      Kind regards - Timokirch 2 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ