Background
Library ( Jar ) Files
Patched / Apache / v2.17.1
Package
File Type | File Name | Link |
---|---|---|
Apache Log4j 2 binary ( tar.gz ) | apache-log4j-2.17.1-bin.tar.gz | Link |
Apache Log4j 2 binary ( zip ) | apache-log4j-2.17.1-bin.zip | Link |
Extract
Jar File Usage | Purpose | JAR File Name Syntax | JAR File Name ( Version Specific ) |
---|---|---|---|
Log4J API File | Provides the adapter components required for implementers to create a logging implementation. | log4j-api-[major]-minor-[subminor].jar | log4j-api-2.17.1.jar |
Log4J Core File | Core Log4j Implementation classes | log4j-core-[major]-minor-[subminor].jar | log4j-core-2.17.1.jar |
Bridge File | Provides Bridge from v1.2 to v2.* | log4j-1.2-api-[major]-minor-[subminor].jar | log4j-1.2-api-2.17.1.jar |
Unpatched / Apache / v2.14.1
Package
File Type | File Name | Link |
---|---|---|
Apache Log4j 2 binary ( tar.gz ) |
apache-log4j-2.14.1-bin.tar.gz |
Link |
Apache Log4j 2 binary ( zip ) | apache-log4j-2.14.1-bin.zip | Link |
Extract
Jar File Usage | Purpose | JAR File Name Syntax | JAR File Name ( Version Specific ) |
---|---|---|---|
Log4J API File | Provides the adapter components required for implementers to create a logging implementation. | log4j-api-[major]-minor-[subminor].jar | log4j-api-2.14.1.jar |
Log4J Core File | Core Log4j Implementation classes | log4j-core-[major]-minor-[subminor].jar | log4j-core-2.14.1.jar |
Bridge File | Provides Bridge from v1.2 to v2.* | log4j-1.2-api-[major]-minor-[subminor].jar | log4j-1.2-api-2.14.1.jar |
Compile
We compiled against the 2.14 version.
setlocal set "jar_log4j_version=2.14.1" set "jar_log4j_folder=lib/log4j/%jar_log4j_version%" set "jar_log4j_explicit=%jar_log4j_folder%/*" set "jar_log4j_implicit=%jar_log4j_folder%/log4j-api-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-core-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-1.2-api-%jar_log4j_version%.jar" set "jar_log4j=%jar_log4j_implicit%" javac -cp .;%jar_log4j% helloLog4j.java endlocal
Ran
Ran the 2.14 version.
Script
invoke
invoke_base.cmd
setlocal set "jar_log4j_folder=lib/log4j/%jar_log4j_version%" set "jar_log4j_explicit=%jar_log4j_folder%/*" set "jar_log4j_implicit=%jar_log4j_folder%/log4j-api-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-core-%jar_log4j_version%.jar;%jar_log4j_folder%/log4j-1.2-api-%jar_log4j_version%.jar" set "jar_log4j=%jar_log4j_implicit%" java -cp .;%jar_log4j% helloLog4j endlocal
invoke.v.2.14.1.cmd
setlocal set "jar_log4j_version=2.14.1" call invoke_base.cmd endlocal
output
Output – Image
CERT ( Community Emergency Response Team ) Coordination Center ( CERT/CC )
Background
The CERT Coordination Center is part of Carnegie Mellon University’s Software Engineering Institute.
The center’s URL is https://github.com/CERTCC. ( Link )
CERTCC / CVE-2021-44228_scanner
Background
CERT Coordination Center has a tool for identifying Java applications that are susceptible to log4J’s CVE-2021-44228 security vulnerability.
The tool is available on GitHub; specifically at https://github.com/CERTCC/CVE-2021-44228_scanner ( Link )
Scripts
There are programming language-specific scripts.
Currently, the following programming languages are available:-
- Bash Shell
- checkjndi.sh
- Powershell
- checkjndi.ps1
- Python
- checkjndi.py
Download Scripts
There are various avenues for downloading artifacts from Github.
Available Options includes:-
- Manual
- Web Browser
- Script
- git client
Script
Git Client / Git Clone
My goto git command for downloading git repository is “git clone”
Syntax
git clone <repository>
Sample
git clone https://github.com/CERTCC/CVE-2021-44228_scanner.git
Output – Image
Output – Text
>git clone https://github.com/CERTCC/CVE-2021-44228_scanner.git Cloning into 'CVE-2021-44228_scanner'... remote: Enumerating objects: 194, done. remote: Counting objects: 100% (103/103), done. remote: Compressing objects: 100% (68/68), done. remote: Total 194 (delta 60), reused 66 (delta 35), pack-reused 91 Receiving objects: 100% (194/194), 400.80 KiB | 2.78 MiB/s, done. Resolving deltas: 100% (107/107), done.
Folder View
Image
Here is what our folder look like:-
PowerShell Script
In this post, we will not examine the bash or python script.
On the other hand, we will take a quick look at PowerShell.
Outline
Here are the log4J Versions that we will examine
- Version 2.17.1
- Version 2.14.1
Prerequisite
- Microsoft
- Powershell
- Powershell v3.0
- Powershell
Exercise
Syntax
powershell -file [powershell-script] -PSPath [java-folder]
v 2.17.1
Sample
powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1 -PSPath C:\java\helloLog4J\sourceCode\2.14.1
Output
Output – Image
Output – Text
>powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1 -PSPath C:\java\helloLog4J\sourceCode\2.17.1 WARNING: -Force not used, will not scan System or Hidden files. C:\java\helloLog4J\sourceCode\2.17.1\lib\log4j\log4j-core-2.17.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class ** BUT APPEARS TO BE PATCHED ** No vulnerable components found
Explanation
- JndiLookup.class
- org/apache/logging/log4j/core/lookup/JndiLookup.class
- ** BUT APPEARS TO BE PATCHED **
- No vulnerable components found
v 2.14.1
Sample
powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1 -PSPath C:\java\helloLog4J\sourceCode\2.14.1
Output
Output – Image
Output – Text
>powershell -file C:\Downloads\Cert\CVE-2021-44228_scanner\checkjndi.ps1 C:\java\helloLog4J\sourceCode\2.14.1 WARNING: -Force not used, will not scan System or Hidden files. WARNING: C:\java\helloLog4J\sourceCode\2.14.1\lib\log4j\2.14.1\log4j-core-2.14.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class
Explanation
- JndiLookup.class
- WARNING: C:\java\helloLog4J\sourceCode\2.14.1\lib\log4j\2.14.1\log4j-core-2.14.1.jar contains org/apache/logging/log4j/core/lookup/JndiLookup.class
Summary
Thank goodness, Carnegie Mellon University’s Software Engineering Institute – CERT Coordination Center has an open-source tool that allows one to detect java applications that are vulnerable to log4J’s Log4jShell security vulnerability.
It is opensource, if time opportuned, please download and review its source code.
Disclaimer
I am not a security analyst.
It is difficult for me to discuss security apparatus and do a deep dive.
There are just way too many opportunities for the bad guys to find holes in one’s armor.
For that reason, I will not discuss each tool’s strengths and lacks in my evaluation.
[…] Log4j – Security Vulnerability – Detection Tool – CERT ( Community Emergency Response Team ) – PowerShell Script Link […]