generated from yahoo/.github
-
Notifications
You must be signed in to change notification settings - Fork 26
/
check-log4j.1.txt
143 lines (104 loc) · 5.09 KB
/
check-log4j.1.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
check-log4j(1) NetBSD General Commands Manual check-log4j(1)
NAME
check-log4j -- try to determine if a host is vulnerable to log4j
CVE-2021-44228
SYNOPSIS
check-log4j [-Vhv] [-j jar] [-p path] [-s skip]
DESCRIPTION
The check-log4j tool attempts to determine whether the host it is exe-
cuted on is vulnerable to the log4j RCE vulnerability identified as
CVE-2021-4428.
Since this vulnerability is in a specific Java class that may be inside
nested Java archive files, check-log4j may be somewhat intrusive to run
and should be executed with care and consideration of the system's load.
Please see DETAILS for more information.
OPTIONS
The following options are supported by check-log4j:
-V Print version number and exit.
-h Print a short help message and exit.
-j jar Check only this archive, nothing else. Can be specified multi-
ple times for multiple JAR (or other zip formatted archive)
files.
-p path Limit filesystem traversal to this directory. Can be specified
multiple times. If not specified, check-log4j will default to
'/'.
-s skip Skip the given checks. Valid arguments are 'files', 'packages',
and 'processes'.
-v Be verbose. Can be specified multiple times.
DETAILS
CVE-2021-4428 describes a possible remote code execution (RCE) vulnera-
bility in the popular log4j framework. Simply causing the vulnerable
system to log a specifically crafted message can the attacker gain com-
mand execution and information disclosure capabilities. This vulnerabil-
ity relies on an insecure default setting applying to the Java Naming and
Directory Interface (JNDI).
Specifically, a system that contains the JndiLookup.class may enable the
attack path in question.
To determine whether a host is vulnerable, the check-log4j tool will per-
form the following checks:
o check for the existence of likely vulnerable packages
o check for the existence of java processes using the 'JndiLookup'
class
The discovery process may include running find(1), lsof(1), or rpm(1);
please use the -s flag to skip any checks that might have a negative
impact on your host.
The output of the command attempts to be human readable and provide suf-
ficient information to judge whether the host requires attention.
ENVIRONMENT
The following environment variables influence the behavior of
check-log4j:
CHECK_LOG4J_FIND_OPTS_PRE
Additional options to pass to find(1) prior to the path
name(s).
By default, check-log4j runs "find / -type f -name
'*.[ejw]ar'"; the contents of this variable are placed
immediately after the 'find' and before the path name(s).
CHECK_LOG4J_FIND_OPTS_POST
Additional options to pass to find(1) immediately after the
path name(s).
EXAMPLES
Sample invocation on a non-vulnerable host:
$ check-log4j
No obvious indicators of vulnerability found.
$
Sample invocation only looking at processes
$ ./check-log4j.sh -s files -s packages -v -v
=> Running all checks...
==> Skipping package check.
==> Looking for jars...
==> Skipping files check.
==> Checking all found jars...
check-log4j.sh 1.0 localhost: Possibly vulnerable jar 'BOOT-INF/lib/log4j-core-2.14.1.jar' (inside of /home/jans/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar) used by process 15569.
$
Sample invocation searching only /var and /usr/local/lib and skipping
package and process checks:
$ check-log4j -p /var -p /usr/local/lib -s packages -s processes
Possibly vulnerable jar '/usr/local/lib/jars/log4j-core-2.15.0.jar'.
Possibly vulnerable jar '/usr/local/lib/jars/log4j-core-2.15.jar'.
Possibly vulnerable jar '/usr/local/lib/jars/log4j-core-2.jar'.
Possibly vulnerable jar '/usr/local/lib/jars/log4j-core.jar'.
$
Note version comparisons are only done for packages, which is why the
above output incudes files ending in a seemingly non-vulnerable version.
To avoid mountpoint traversal on a Unix system where find(1) requires the
-x flag to precede the paths:
$ env CHECK_LOG4J_FIND_OPTS_PRE="-x" check-log4j
No obvious indicators of vulnerability found.
To only search files newer than '/tmp/foo':
$ env CHECK_LOG4J_FIND_OPTS_POST="-newer /tmp/foo" check-log4j
No obvious indicators of vulnerability found.
EXIT STATUS
check-log4j will return 0 if the host was found not to be vulnerable and
not in need of any update; it will return 1 if a vulnerable jar or pack-
age was detected.
If no vulnerability to CVE-2021-44228 / CVE-2021-45046 was found, but
versions below the desired minimum were found, check-log4j will return 2.
SEE ALSO
find(1), lsof(1), rpm(1)
HISTORY
check-log4j was originally written by Jan Schaumann <jans@yahooinc.com>
in December 2021.
BUGS
Please file bugs and feature requests via GitHub pull requests and issues
or by emailing the author.
NetBSD 8.0 February 28, 2022 NetBSD 8.0