Log4j – Security Vulnerability – Detection Tool – CERT ( Community Emergency Response Team ) – PowerShell Script

Daniel Adeniji Apache Foundation ( Security - Vulnerability ), Carnegie Mellon University ( University ), CERT ( Community Emergency Response Team ), log4j, Log4j ( Security - Vulnerability - Apache ), Log4jShell ( Security - Vulnerability - Apache - Log4j ), PowerShell ( Microsoft ), Security Vulnerability ( Security ), Software Engineering Institute ( SEI ) - Carnegie Mellon University ( University ), Technical

Background

Library ( Jar ) Files

Patched / Apache / v2.17.1

Link

Package

File Type File Name Link
Apache Log4j 2 binary ( tar.gz ) apache-log4j-2.17.1-bin.tar.gz Link
Apache Log4j 2 binary ( zip ) apache-log4j-2.17.1-bin.zip Link

Extract

Jar File Usage Purpose JAR File Name Syntax JAR File Name ( Version Specific )
Log4J API File Provides the adapter components required for implementers to create a logging implementation. log4j-api-[major]-minor-[subminor].jar log4j-api-2.17.1.jar
Log4J Core File  Core Log4j Implementation classes log4j-core-[major]-minor-[subminor].jar log4j-core-2.17.1.jar
Bridge File Provides Bridge from v1.2 to v2.* log4j-1.2-api-[major]-minor-[subminor].jar log4j-1.2-api-2.17.1.jar

Unpatched / Apache / v2.14.1

Link

Package

File Type File Name Link
Apache Log4j 2 binary ( tar.gz ) 
apache-log4j-2.14.1-bin.tar.gz
 Link
Apache Log4j 2 binary ( zip ) apache-log4j-2.14.1-bin.zip Link

Extract

Jar File Usage Purpose JAR File Name Syntax JAR File Name ( Version Specific )
Log4J API File Provides the adapter components required for implementers to create a logging implementation. log4j-api-[major]-minor-[subminor].jar log4j-api-2.14.1.jar
Log4J Core File  Core Log4j Implementation classes log4j-core-[major]-minor-[subminor].jar log4j-core-2.14.1.jar
Bridge File Provides Bridge from v1.2 to v2.* log4j-1.2-api-[major]-minor-[subminor].jar log4j-1.2-api-2.14.1.jar

Compile

We compiled against the 2.14 version.


setlocal

    set "jar_log4j_version=2.14.1"

    set "jar_log4j_folder=lib/log4j/%jar_log4j_version%"

    set "jar_log4j_explicit=%jar_log4j_folder%/*"
    
    set "jar_log4j_implicit=%jar_log4j_folder%/log4j-api-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-core-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-1.2-api-%jar_log4j_version%.jar"
   
    set "jar_log4j=%jar_log4j_implicit%"
    
    javac -cp .;%jar_log4j% helloLog4j.java
    
endlocal

Ran

Ran the 2.14 version.

Script

invoke

invoke_base.cmd


setlocal

    set "jar_log4j_folder=lib/log4j/%jar_log4j_version%"

    set "jar_log4j_explicit=%jar_log4j_folder%/*"
    
    set "jar_log4j_implicit=%jar_log4j_folder%/log4j-api-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-core-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-1.2-api-%jar_log4j_version%.jar"
   
    set "jar_log4j=%jar_log4j_implicit%"
    
    java -cp .;%jar_log4j% helloLog4j
    
endlocal

invoke.v.2.14.1.cmd


setlocal
    
    set "jar_log4j_version=2.14.1"
    
    call invoke_base.cmd
    
endlocal

output

Output – Image

CERT ( Community Emergency Response Team ) Coordination Center ( CERT/CC )

Background

The CERT Coordination Center is part of Carnegie Mellon University’s Software Engineering Institute.

The center’s URL is https://github.com/CERTCC. ( Link )

 

CERTCC / CVE-2021-44228_scanner

Background

CERT Coordination Center has a tool for identifying Java applications that are susceptible to log4J’s CVE-2021-44228 security vulnerability.

The tool is available on GitHub; specifically at https://github.com/CERTCC/CVE-2021-44228_scannerLink )

Scripts

There are programming language-specific scripts.

Currently, the following programming languages are available:-

  1. Bash Shell
    • checkjndi.sh
  2. Powershell
    • checkjndi.ps1
  3. Python
    • checkjndi.py

Download Scripts

There are various avenues for downloading artifacts from Github.

Available Options includes:-

  1. Manual
    • Web Browser
  2. Script
    • git client

Script

Git Client / Git Clone

My goto git command for downloading git repository is “git clone”

Syntax

git clone <repository>
Sample

git clone https://github.com/CERTCC/CVE-2021-44228_scanner.git
Output – Image

Output – Text

>git clone https://github.com/CERTCC/CVE-2021-44228_scanner.git

Cloning into 'CVE-2021-44228_scanner'...
remote: Enumerating objects: 194, done.
remote: Counting objects: 100% (103/103), done.
remote: Compressing objects: 100% (68/68), done.
remote: Total 194 (delta 60), reused 66 (delta 35), pack-reused 91
Receiving objects: 100% (194/194), 400.80 KiB | 2.78 MiB/s, done.
Resolving deltas: 100% (107/107), done.

 

Folder View

Image

Here is what our folder look like:-

 

PowerShell Script

In this post, we will not examine the bash or python script.

On the other hand, we will take a quick look at PowerShell.

Outline

Here are the log4J Versions that we will examine

  1. Version 2.17.1
  2. Version 2.14.1

Prerequisite

  1. Microsoft
    • Powershell
      • Powershell v3.0

Exercise

Syntax
 

powershell -file [powershell-script]  -PSPath  [java-folder]

v 2.17.1

Sample
 

powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1  -PSPath C:\java\helloLog4J\sourceCode\2.14.1
Output
Output – Image

Output – Text

>powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1  -PSPath C:\java\helloLog4J\sourceCode\2.17.1
WARNING: -Force not used, will not scan System or Hidden files.
C:\java\helloLog4J\sourceCode\2.17.1\lib\log4j\log4j-core-2.17.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class ** BUT APPEARS TO BE PATCHED **
No vulnerable components found
Explanation
  1. JndiLookup.class
    • org/apache/logging/log4j/core/lookup/JndiLookup.class
    • ** BUT APPEARS TO BE PATCHED **
    • No vulnerable components found

v 2.14.1

Sample
 

powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1  -PSPath C:\java\helloLog4J\sourceCode\2.14.1
Output
Output – Image

Output – Text

>powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1 C:\java\helloLog4J\sourceCode\2.14.1

WARNING: -Force not used, will not scan System or Hidden files.

WARNING: C:\java\helloLog4J\sourceCode\2.14.1\lib\log4j\2.14.1\log4j-core-2.14.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class

 

Explanation
  1. JndiLookup.class
    • WARNING: C:\java\helloLog4J\sourceCode\2.14.1\lib\log4j\2.14.1\log4j-core-2.14.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class

 

Summary

Thank goodness, Carnegie Mellon University’s Software Engineering Institute – CERT Coordination Center has an open-source tool that allows one to detect java applications that are vulnerable to log4J’s Log4jShell security vulnerability.

It is opensource, if time opportuned, please download and review its source code.

 

Disclaimer

I am not a security analyst.

It is difficult for me to discuss security apparatus and do a deep dive.

There are just way too many opportunities for the bad guys to find holes in one’s armor.

For that reason, I will not discuss each tool’s strengths and lacks in my evaluation.

One thought on “Log4j – Security Vulnerability – Detection Tool – CERT ( Community Emergency Response Team ) – PowerShell Script

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s