Finding and Mitigating Log4j Vulnerabilities
Date of Notice: 12/28/2021
Action Level - High
MCNC would like to update you on the threat affecting the Java logging utility Log4j. This is being tracked as CVE-2021-44228 and CVE-2021-45046 and CVE-2021-45105.
Logpresso, a software company located in Seoul, South Korea, released a tool for finding and removing vulnerable Log4j code snippets on Mac, Windows, and Linux machines. This tool has been used to great success by the general IT community and has been recommended by the NCLGISA IT Strike Team.
The Logpresso Github page where you can get this tool is located here.
Why Should I Use This?
This tool is simple to run and unpacks java files, ensuring it isn’t looking for just hashes like other tools. Additionally this tool can be run to either detect or remove vulnerable code; with a built-in backup and restore features for ensuring minimal impact. Further this lightweight tool runs on Windows, Mac, and Linux systems.
What Should I Know First?
This tool DOES NOT patch your devices, it simply removes the vulnerable code and replaces it with a sanitized version. Log4j software may or may not be critical to the operation of a given solution in your environment, so backup, test, and be ready to restore if you experience issues with this Logpresso mitigation tool.
This tool DOES NOT identify which systems you may need to run it on. For complete coverage, you should run it on all Windows, Mac, and Linux devices in your environment to determine if they contain vulnerable Log4j software.
This Logpresso mitigation tool can be deployed across all your devices with the assistance of a software deployment solution such as SCCM, PDQ, or other similar infrastructure.
While this tool has been recommended by many it is still a free tool with minimal support. If you encounter issues you can post to their github issues page.
How Do I Use It?
Once you have downloaded the tool specific to your operating system, you will run it from a command line. Basic scans to only alert on found entries would be:
As the scan runs it will provide 10 second updates regarding what has been scanned. Once complete you will get an output similar to:
Scanned 260926 directories and 1582636 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 69.40 seconds
Next you can decide how you want to handle the offending files. Explore deleting or updating whatever is vulnerable first; if unable, run the tool again, but add in the –-fix flag before the target path (which should be updated to the offending file.)
If you need to restore you can use the –-restore flag and specify the backup file location.
If running this across your entire environment you can explore sending the results to a central log collection point for further parsing.