Putting Effective IT Operations in the Limelight with Log4j
December 9 brought about news of Apache Log4j’s vulnerability exploit and had the software world in a frenzy. The primary reason behind it was that Log4j is the most popular logging service for Java, and it has been used in innumerable internet services and products. This includes products of Tech giants like Amazon, Apple, Tesla, Steam, and Cloudflare among others.
The situation brings fear for both vendors and users as it is an easy vulnerability to exploit that allows launching remote code attacks on a variety of devices as well as gaining control of java-based servers in companies. Now, new variations are being added to the original exploit which is making the attack’s potential rise at a fast pace.
BigFix is a popular tool that can automate your deployment tasks and also remove the need to write individual scripts repeatedly. It can help automate the process of finding your Log4j installations and replacing them with the fixes. As such, advanced authentication methods will be of little help since the attack takes place before the authentication process, thereby bypassing any security measures you may place in your applications
IT Operations on The Front Lines Protect Every Enterprise from Log4j
Step 1. Find Log4j in your system
For the first step towards protection from the new vulnerabilities, you will need to investigate all your applications, websites, and systems for traces of Log4j. This goes especially for internet-based systems that may have some sensitive data. After completing the assessment, you should then move on to other endpoint apps that you have used such as Citrix and Minecraft.
Good news for you is that BigFix has released tools that can help you find all traces of Log4j in your systems. This has been achieved thanks to a simple, two-step process. The first step requires you to deploy a task on all your endpoints that would gather names of all files that have Log4j extension and store these names. The second step will create an analysis that will read the files so that the admin can identify all the vulnerable endpoints in the system.
1.1 Scanning Task in BigFix
BigFix uses the scanning task to search for all traces of Log4j in your system and then stores the names on a text file that can be stored at a location of your choice. You can run the task with the shell command script – ‘dir/s’ for Windows, and ‘find’ for Linux.
For storing the names, BigFix will check whether the given location’s path is present or not. If not, then it will create a new file titled ‘CVE-2021-44228.txt’ at that location.
By running the task, all the files with the Log4j extension, their version number, registry path, and various other values will be stored in the given file.
1.2 Analysis by BigFix
Scanning task analysis is the second part of the task to determine server count or name against vulnerability and how much of your system is vulnerable in the network.
The analysis parser the result of scanning task based of CVE-2021—44228 and the following properties will be reported in the analysis result:
- Scan result exists – Indicate that scan has been done on the endpoint
- Scan completion time – Indicate time of scan if scan is still not in progress
- Log4j pathnames – Indicate the file paths where any log4j-core.jar* file has been found
- Log4j potentially vulnerable – based on log4j-core.jar* file named indicate version is earlier than 2.15.0
- Log4j Sha value and matching known version – From all detected log4j-core.jar* files compare the given file to a list of known sha1 hashes and indicate whether the file matches any of the known hashes.
Next, we can download sha1/sha256 hashes, Below are the list for comparison
After running the analysis, we get the final report whether the servers are vulnerable against CVE-2021-44228 or not.
If you want to run this task in your network, you can download it from below link
BigFix Scanning Task – https://bigfix.me/fixlet/details/26897
BigFix Analysis Fixlet – https://bigfix.me/analysis/details/2998668
Step 2. Patch all the endpoints. If you don’t find a patch or workaround then uninstall the application.
BigFix automates the discovery and management of all your endpoints on the given system. These endpoints can be either online (cloud-based), or on your local servers.
While the pandemic situation may have forced a lot of endpoints to be present in the homes of your employees, it is still possible to patch the Log4j applications. Your operations team will need to use systems like BigFix as several of your employees may ignore the instructions to patch the application on their system.
How BigFix Helps
BigFix provides insights for the vulnerabilities and integrates them with a variety of vulnerability management solutions such as Tenable that can remediate vulnerabilities present due to Log4j. Thanks to BigFix, you will be able to manage all your endpoints – now and in the future as well.
The steps given above will be crucial in preventing attacks on your systems. If you encounter any problems along the way, please feel free to get in touch with our DEV IT engineers for support.
Latest posts by Tejas Trivedi (see all)
- How to Deploy Effective Software through BigFix - March 3, 2022
- Putting Effective IT Operations in the Limelight with Log4j - March 3, 2022
- Best Practices for Securing Windows Server - January 10, 2017