How to Check your Server for the Java Log4j Vulnerability (CVE-2021-44228)
The Apache Log4j is a serious vulnerability. If someone sends the library a command in the form of a special string of characters tucked within that data, instead of just logging that information, log4j will execute it as though it is code in a program. This is a serious flaw and you need to check to see if your server(s) are vulnerable.
Quote from the National Information Security Center - https://qcert.org/node/1818
There has been an identified remote code execution vulnerability (CVE-2021-44228) in Apache log4j 2. A proof-of-concept (PoC) version of the exploit code has been released publicly, and as per security researcher it is extremely easy to exploit. Based on how the system is configured, a malicious payload can be downloaded and executed by an attacker submitting a specially crafted request to a vulnerable system.
This is the direct link to Apache regarding the Vulnerability - https://logging.apache.org/log4j/2.x/security.html
The following video will show you how to use open source code from github to check to see if your servers are vulnerable. We, at Clustered Networks did not write the code, however we used it on our servers to check for the Log4j files and vulnerability.
The way the script works is it uses the Locate command (may require installation if not already installed) to query your server to look into the YUM (Yellowdog Updater Modified) or DPKG (Debian Package Manager) package manager files to see if you have software installed that may be vulnerable. We encourage you to open or view the shell script (log4j_checker_beta.sh) to take a look at the code before you run it.
Link to the Script on Github to Check your Server for Apache Java Log4j code.
wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
Example output after running the script...
### locate files containing log4j ... ### check installed dpkg packages ... ### check if Java is installed ... [OK] Java is not installed _________________________________________________ If you see no uncommented output above this line, you are safe. Otherwise check the listed files and packages. Some apps bundle the vulnerable library in their own compiled package, so 'java' might not be installed but one such apps could still be vulnerable.
- DPKG (Debian Package Manager)
- YUM (Yellowdog Updater Modified)
The result of the script will let you know if your server is possibly vulnerable, or OK.
Checking for Log4j Vulnerability on Windows Servers
These are a few links you can use to check your windows servers
- https://log4j-tester.trendmicro.com/
- https://www.thesecmaster.com/how-to-detect-cve-2021-44228-log4shell-vulnerability-in-your-server/
- https://cybersecurityworks.com/blog/cyber-risk/have-you-patched-apache-log4j-vulnerability-cve-2021-44228.html#scxxxript
- https://github.com/NorthwaveSecurity/log4jcheck
Summary
As for companies and organizations, other than updating the software, they can also use a WAF (Web Application Firewall) such as Cloudflare to filter traffic before going to your website or webserver, which will look for the vulnerable string(s) and prevent them from reaching the log4j files that may, or may not, be on your server.
Quote from Article on Cloudflare's Website
CVE-2021-44228 is being actively exploited by a large number of actors. WAFs are effective as a measure to help prevent attacks from the outside, but they are not foolproof and attackers are actively working on evasions. The potential for exfiltration of data and credentials is incredibly high and the long term risks of more devastating hacks and attacks is very real.
It is vital to mitigate and patch affected software that uses Log4j now and not wait.
Clustered Networks
Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 20 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info
#log4j #java #CVE-2021-44228
