Log4j has seen a series of vulnerabilities discloser just over the period of a couple of weeks. The worst part is that it is said to be the deadliest vulnerability of the decade. Security firm CheckPoint said that these vulnerabilities are not less than a pandemic. These vulnerabilities allow attackers to perform unauthenticated, remote code execution with minimum effort on any application using the Log4j library. We hope most of you know how many applications use the Log4j library. This made millions of machines vulnerable to the Log4j vulnerabilities. If you want to read more on the Log4j vulnerabilities, we have published multiple posts on how to detect Log4j vulnerabilities, how to fix Log4j vulnerabilities, how to protect your machine from Log4j vulnerabilities, how do Log4j vulnerabilities work, and some of the basic workaround techniques to mitigate Log4j vulnerabilities in previous posts. We thought it is good to introduce some more tools and techniques to help you check the vulnerable hosts more efficiently. Please don’t leave this post unread, as we have covered four new powerful tools to check for vulnerable log4j hosts on your network.
If you are searching for a command to check the Log4j version, then you may end up with no results. There is no such command that will tell you the version of Log4j installed on your system. Some applications ship the libraries directly as a jar file, and some will contain them in archives. You may need to prep inside the jar or archive to see the version of Log4j.
Well, it is easy for a java developer who knows how to prepare jar files and build java packages to check the Log4j library versions inside jar files. However, we have created this post for those who don’t know about looking for Log4j library versions hidden inside jar files. We have covered four such powerful tools to check for vulnerable log4j hosts on your network.
Table of Contents
Log4j Vulnerabilities Found In 2021:
|CVE-2021-44228||10.0 Critical||Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library||2.15.0|
|CVE-2021-45046||3.7 Low||Denial of Service vulnerability in Log4j Logging Library||2.16.0|
|CVE-2021-45105||7.5 High||Denial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation||2.17.0|
|CVE-2021-44832||6.6 Medium||RCE vulnerability could allow attackers to modify the logging configuration file to execute code via a data source referencing a JNDI URI.||2.17.1|
List Of Tools To Check For Vulnerable Log4j Hosts On Your Network
Check For Vulnerable Log4j Hosts Using log4j-Scan:
Log4j-scan is a fully automated, accurate, and extensive scanner tool to check vulnerable log4j hosts on the network. You can use this tool for personal or commercial purposes to scan infrastructure for Log4J vulnerabilities, and test for WAF bypasses that can result in code execution on the organization’s environment. This tool doesn’t require setting up a DNS callback server since it supports DNS OOB callbacks.
- It support for lists of URLs.
- Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).
- Fuzzing for HTTP POST Data parameters.
- Fuzzing for JSON data parameters.
- Supports DNS callback for vulnerability discovery and validation.
- WAF Bypass payloads.
How To Run Log4j-Scan Tool?
- Clone the git: $ git clone https://github.com/fullhunt/log4j-scan.git
- get inside the log4j-scan directory: $ cd log4j-scan
- Install the required pip packages: $ pip3 install -r requirements.txt
- Run the tool:
- To Run the help: $ python3 log4j-scan.py -h
- To check a single URL: $ python3 log4j-scan.py -u https://192.168.0.110:8000
- To checka Single URL using all Request Methods: $ python3 log4j-scan.py -u https://192.168.0.110:8000 –run-all-tests
- To discover WAF bypasses against the environment: $ python3 log4j-scan.py -u https://192.168.0.110:8000 –waf-bypass
- To scan a list of URLs inside a file: $ python3 log4j-scan.py -l urls.txt
Check For Vulnerable Log4j Hosts Using log4j_Checker_Beta:
This is a script to check if your server is possibly affected by log4j vulnerabilities. However, it has some accuracy concerns about the detection of vulnerabilities in the Log4j library. Since it uses library version is one of the main criteria. Despite that, a good thing about his tool is that it supports archive files like WAR and EAR. This tool is capable of checking:
- It scans files for occurrences of log4j
- It checks for packages containing log4j and Solr ElasticSearch
- It checks if Java is installed
- Analyzes JAR/WAR/EAR files
- Option of checking hashes of .class files in archives
How To Run log4j_Checker_Beta?
Run this command to download the script and run on your machine
# wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
Run this command to see only warning in the output:
# wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - | bash | grep '\[WARNING\]'
Note: Ensure ‘locate’ and ‘unzip’ commends need to be installed and locate database is updated before you run the commands. results would be more accurate if you run these commands with superuser privilege.
# sudo apt install unzip locate# sudo updatedb
If you want to run this script on the machine which doesn’t have the internet connection, clone the git repository.
# cd log4j_checker_beta/
# ./log4j_checker_beta.sh hashes-pre-cve_local.txt | grep '\[WARNING\]'
Check For Vulnerable Log4j Hosts Using log4j-Sniffer:
log4j-sniffer crawls for all instances of log4j on disk within a specified directory. It is one of the accurate tools to identify the vulnerable instances of Log4j within a directory tree. It is not limited to working only with Java archives, it supports a wide range of archives such as .zip, tar, .tar.gz, .tgz, .tar.bz2, .tbz2.
log4j-sniffer will scan for all files of the following types based upon suffix:
- Zips: .zip
- Java archives: .jar, .war, .ear
- Tar: .tar, .tar.gz, .tgz, .tar.bz2, .tbz2
How to run log4j-sniffer?
- Install using ‘go’: $ go install github.com/palantir/log4j-sniffer@latest
- Download compelled executables for Linux, Windows, and mac from: https://github.com/palantir/log4j-sniffer/releases
- On Ubuntu: $ wget https://github.com/palantir/log4j-sniffer/releases/download/v1.0.0/log4j-sniffer-1.0.0-linux-amd64.tgz
- Extract The Downloaded File:
$ tar -xf log4j-sniffer-1.0.0-linux-amd64.tgz
3. Run log4j-sniffer:
- For Help Run: $ ./log4j-sniffer -h
4. Run the log4j-sniffer with crawl flag which takes directory path as imput to crawl for vulnerable Log4j libraries.
- $ ./log4j-sniffer crawl /opt/splunk/
Check For Vulnerable Log4j Hosts Using Check-Log4j:
Check-log4j is a tool developed by yahoo to check whether the host is vulnerable to the Log4j. This tool works entirely in a different way than other tools. It attempts to verify the service by triggering the exploit. But, on the other hand, it doesn’t tell that you may not know whether you have a vulnerable version of log4j on your system. Please see the manual page for full details.
How to Run Check-Log4j?
- Clone the git: $ git clone https://github.com/yahoo/check-log4j.git
- Change the directory to: $ cd check-log4j/src
- Run check-log4j: $ ./check-log4j.sh -p /opt/splunk
- For help: $ ./check-log4j.sh -h
We hope this post would help you know 4 Powerful Tools to Check for Vulnerable Log4j Hosts. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.