log4jscanlinux

log4jscanlinux copied to clipboard

License THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE OF THIS SCRIPT. IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS

Log4j Vulnerability Scanner Shell Script:

Description: This shell script intends to collect necessary details and help detect CVE-2021-44228 and CVE-2021-45046 vulnerabilities reported in Log4j. The script will scan the entire filesystem, including archives for the Java class that indicates the Java application contains a vulnerable Log4j library. Once Log4j QID is introduced in Qualys VM signatures, the output file generated by this script will serve as a data point to assess and report the QID during agent VM scan.

Usage: Supported platforms: Linux(RHEL, CentOS, Ubuntu, Debian, Amazon Linux, and OEL), MacOS, AIX, and Solaris Supported architectures: x64, ARM(Linux)

How to run the script?

1. Create and save a script (.sh) file using any text editor.
2. Execute the script file using shell script. Use the following commands:

LINUX: (detects WARs, EARs, ZIPs, and nested JARs, located under linux folder) sh .sh [base_dir] [network_filesystem_scan<true/false>] Here, is actual script name. (default: [base_dir]=/ [network_filesystem_scan]=false) For example: sh ./log4j_findings.sh /home false

MacOS/AIX/Solaris: (Beta version, detects JARs only, located under unix folder) sh .sh [base_dir] Here, is actual script name. (default: [base_dir]=/ ) For example: sh ./log4j_findings_unix.sh /home

The script’s standard output will be redirected to: Linux: /usr/local/qualys/cloud-agent/log4j_findings.stdout MacOS: /Library/Application\ Support/QualysCloudAgent/Data/log4j_findings.stdout AIX/Solaris: /opt/qualys/cloud-agent/log4j_findings.stdout

Any error occurring during its execution is redirected to: Linux: /usr/local/qualys/cloud-agent/log4j_findings.stderr MacOS: /Library/Application\ Support/QualysCloudAgent/Data/log4j_findings.stderr AIX/Solaris: /opt/qualys/cloud-agent/log4j_findings.stderr (This file will also contain command execution start time and status on completing the run)

If the agent is not installed, the script will create the following directory and dump the standard output and error in files within it. However, no status information will be written in the error file if its execution is aborted. LINUX: /usr/local/qualys/cloud-agent/ MACOS: /Library/Application\ Support/QualysCloudAgent/Data/
AIX/Solaris: /opt/qualys/cloud-agent/

The following details are shown in the output: Source: Path of pom.xml within a jar file JNDI class found or not found status Path of the jar log4j version

Sample output:(/usr/local/qualys/cloud-agent/log4j_findings.stdout) Source: META-INF/maven/org.slf4j/slf4j-log4j12/pom.xml META-INF/maven/log4j/log4j/pom.xml JNDI-Class: JNDI Class Not Found Path= /root/TestFiles_log4j/TestFiles/kafka-producer-intellij.jar log4j Unknown

Source: META-INF/maven/org.apache.logging.log4j/log4j-api/pom.xml META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml JNDI-Class: JNDI Class Found Path= /root/TestFiles_log4j/TestFiles/ProjWithVulLog4j-1.0-SNAPSHOT-jar-with-dependencies.jar log4j 2.13.0

Source: META-INF/maven/log4j/log4j/pom.xml JNDI-Class: JNDI Class Not Found Path= /usr/share/java/log4j.jar log4j Unknown

Sample error file: (/usr/local/qualys/cloud-agent/log4j_findings.stderr) scanning started for log4j jar Thu Dec 16 17:47:36 IST 2021 Run status : Success