Check for Log4j vulnerabilities with this simple-to-use script

2 years ago 358

If you're not definite whether your Java task is escaped from Log4j vulnerabilities, you should effort this easy-to-use scanning instrumentality immediately.

open root   security

Image: Shutterstock/LeoWolfert

One large happening astir Linux and the unfastened root assemblage is that arsenic soon arsenic a vulnerability is detected, developers are hard astatine enactment releasing tools to mitigate the problem. Such is the lawsuit with the Log4j vulnerability.

This peculiar contented is rather bad, arsenic it affects truthful galore servers and projects. Here's however the Log4j vulnerability works: 

  • Log4j2 supports a logging diagnostic called Message Lookup Substitution, which enables peculiar strings to beryllium replaced, during the clip of logging, by different dynamically generated strings.
  • One of the lookup methods (JNDI paired with LDAP) fetches a peculiar people from a distant root to deserialize it, which executes immoderate of the people code.
  • Any portion of the logged drawstring tin past beryllium controlled by a distant attacker.

Part of the occupation is that Log4j is truthful profoundly embedded successful Java projects and dependencies that are utilized by rather a batch of tools. So uncovering each vulnerability successful your server tin beryllium tricky.

Fortunately, plentifulness of efforts person been taken to assistance find these issues. One specified effort is Log4j Detect, which volition scan your improvement projects to guarantee they're escaped from vulnerabilities. 

I privation to amusement you however to usage the Log4j Detect publication to scan your Java projects. 

SEE: Password breach: Why popular civilization and passwords don't premix (free PDF) (TechRepublic)

What you'll request

To enactment with this script, you'll request a Java task and a idiosyncratic with sudo privileges. That's it. Let's get to work. This publication tin beryllium utilized connected Linux, macOS and Windows. I'll beryllium demonstrating connected Linux (via Ubuntu Server 20.04). 

How to download and instal Log4j Detect

The archetypal happening to beryllium done is the installation of Log4j Detect. To bash that, log into your Linux server and download the publication by archetypal mounting your strategy architecture arsenic an situation adaptable with:

ARCH=amd64

If your architecture is ARM, that bid would be:

ARCH=arm64

Next, download the publication with:

wget "https://github.com/whitesource/log4j-detect-distribution/releases/latest/download/log4j-detect-1.3.0-darwin-$ARCH.tar.gz"

Unpack the record with:

tar -xzvf log4j-detect-1.3.0-darwin-$ARCH.tar.gz

Give the record the due permissions with:

chmod +x log4j-detect

Move the record into /usr/local/bin with:

sudo mv log4j-detect /usr/local/bin/

How to scan your task with Log4j-detect

Now that the installation is complete, let's scan a task for Log4j vulnerabilities. Let's accidental your task is housed successful a directory named JAVAWeb-Project. Change into that directory and contented the command:

log4j-detect scan

Depending connected however ample your task is, the scan shouldn't instrumentality excessively agelong to complete. When it does, it'll study backmost if determination are immoderate issues (Figure A).

Figure A

log4jdetecta.jpg

The results of a Log4j-detect scan connected a random Java task I recovered connected GitHub

As you tin see, the Java task I tested has Log4j issues that indispensable beryllium addressed. The publication volition constituent retired the problems arsenic good arsenic however to remediate the issue. Once you've addressed everything, tally the publication again to spot if the vulnerabilities are nary longer detected.

You should see this a must-do for each task and server you fishy could beryllium susceptible to Log4j (and adjacent those you mightiness deliberation are safe). This is 1 lawsuit wherever you are astir surely amended harmless than sorry.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article