CVE-2021-44228-Scanner icon indicating copy to clipboard operation
CVE-2021-44228-Scanner copied to clipboard

Published 20 hours ago verified publisher icon logpresso

Share your story

Open xeraph opened this issue 3 years ago • 6 comments

  • Would you introduce yourself?
  • How many server did you scanned or fixed?
  • Did you completed your mission? How long does it take?
  • Have you tried other tools? What was the difference?
  • Do you have any useful tips?

xeraph avatar Dec 16 '21 14:12 xeraph

We are still investigating. In the first try we scanned our DMZ systems now we are going to scan the rest. At the end its around 2900 Servers (Win/Unix).

We searched with own powershell scripts etc. what our automation team is missing the most are error codes for the scanner but we are happy to have this tool :)

romestylez avatar Dec 16 '21 14:12 romestylez

Would you introduce yourself? Sr Linux Sysadmin at Pavlov Media. Formally a Java developer.

How many server did you scanned or fixed? scanned several hundred, fixed about 20.

Did you completed your mission? How long does it take? Not completed. The darn issue keeps expanding with more CVEs.

Have you tried other tools? What was the difference? Looked at other tools, the best one requires python to be installed on hosts to run it; total non starter for Windows, our Senior Windows admin rejected that idea outright. He's willing to use the pre-compiled binary for windows, though. (I'm old school and don't download linux binaries from github, I build from source.)

Do you have any useful tips? Beware the spaces in filenames issues. Running the jar on Linux doesn't like being told to use a ./ prefix on a path. windows doesn't like putting quotes around parameters, and powershell can mangle your dashes and quotes. I'm used to bash so I escape such things without thinking much about it.

jlellis avatar Dec 16 '21 19:12 jlellis

  • Would you introduce yourself?
    • I'm a software developer and automation engineer working for the endpoint management product HCL BigFix. I am trying to contribute back to this project as I can as we work on content to automate it.
  • How many server did you scanned or fixed?
    • Helping our customers scan thousands of systems at once by running this utility through BigFix.
  • Did you completed your mission? How long does it take?
    • Have things working on well on Windows and Linux. Trying to figure out the best way to run on other platforms seamlessly even if there isn't already a JRE installed. We have a massive discussion happening here: https://forum.bigfix.com/t/log4j-cve-2021-44228-detection-and-mitigation/40141
  • Have you tried other tools? What was the difference?
    • We tried approaches that scanned looking for JAR files that contain log4j2-core-* but the Logpresso scan utility found tons more results within renamed JAR files, WAR files, EAR files, and JAR files that contain many things bundled together.
  • Do you have any useful tips?
    • Test test test. Do gradual rollouts across many devices to not overwhelm storage of VM hosts, networks, etc.
    • Take a long vacation when this settles down.

jgstew avatar Dec 17 '21 23:12 jgstew

Would you introduce yourself? I lead a security software company that helps organizations operating Critical Infrastructure to detect and mitigate threats

How many server did you scanned or fixed? 10,000+ Servers

Did you complete your mission? How long does it take? We are using Logpresso with our other tools as an "enhanced" detection mechanism and are having great luck so far!

Have you tried other tools? What was the difference? The developer of Logpresso is way more responsive :)

Do you have any useful tips? Test!

strawgate avatar Dec 18 '21 18:12 strawgate

Would you introduce yourself? I'm an IT Engineer from Germany.

How many server did you scanned or fixed? MANY. Number increasing. Accidentally fixed a system automatically with the parameter force-fix :-D

Did you completed your mission? How long does it take? I'm pretty sure this issue will be with us for a long time, like the coronavirus. Everyone should scan their hosts on a regular basis. Use a monitoring tool. We build a check plugin for checkmk. Open-Source and free version available. Blog arcticle Latest version of the check plugin Discussion to for the plugin developement - JOIN US! With checkmk we were able to push the check on all monitored linux/windows hosts at once. The check will be executed every 4 hours. For questions about checkmk ask Martin Hirschvogel [email protected] (@martinhv)

Have you tried other tools? What was the difference? Not yet. But I will do this for cross-checking.

Do you have any useful tips?

  • As @jlellis mentioned no one should use binaries downloaded from unknown sources. (use antivirus tools)
  • Provide checksums for the files to help finding possible code injections.
  • Provide howtos to build the binaries from source (@jlellis Can you assist here?)
  • Keep the scan binaries as small as possible so that the deployment doesn't use as much bandwidth.
  • I still have a stomachache when rolling out the scan tool to many systems. I don't want to kill many systems at once through my own fault. Find a solution to reduce CPU usage.

@xeraph AWSOME work! Keep going! Tell us if you need help. Contact the checkmk guys and bundle your competences.

doctore74 avatar Dec 19 '21 10:12 doctore74

Great scanner, thank you. Very easy to use and very effective too. Used on Windows with the following in a batch file

start "ServerName" /D .\Log4jScan /I log4j2-scan.exe --scan-log4j1 --scan-logback --scan-zip --report-path .\logs\ServerName.csv --report-csv \\ServerName\C$

We are able to scan our 89 servers from a single location this way.

IanMajor12 avatar Dec 22 '21 23:12 IanMajor12