How To Find Log4j Version In Windows

Tabular array of Contents

‍

What is log4j?

Vulnerabilities in log4j

Identifying vulnerable log4j JARs on Windows

Notes on interpreting results

Mitigation

Conclusion

What is log4j?

‍

Log4j is a Java based logging library developed by volunteers and maintained under the Apache Software Foundation (ASF). Information technology's pluggable nature and cantankerous-platform operability makes it 1 of the near extensively used logging utilities. Bated from being used straight, it as well comes bundled with a lot of softwares, peculiarly Java applications, as the default logging library.

‍

Vulnerabilities in log4j

‍

On 9th Dec a naught-day vulnerability, dubbed "Log4Shell", was disclosed to the public. This vulnerability gave the attacker the ability to execute arbitrary code on systems by making the log4j library log a specially crafted string. The severity for this security upshot is 10, the highest possible vulnerability score. This is one of, if not the near, serious security vulnerabilities in the past decade due to multiple reasons:

1. Successful exploitation of the vulnerability allows Remote Code Execution (RCE), assuasive the aggressor to gain admission to the underlying system that is running log4j
2. The ability to perform this set on (potentially) without authentication because the logs could likewise exist generated for unauthenticated operations
3. The ability to piggy-back on the compromised system to exploit other resource that might non have been function of the public internet
4. The library is used beyond multiple operating systems, environments (On prem, Cloud - AWS, GCP, etc.), applications, if non straight then potentially as a bundled package
5. Mitigation for the crafted cord is extremely difficult due to the sheer corporeality of variations that could exist implemented for the payload cord

Hither'southward a demonstration of the vulnerability being exploited:

‍

Since the public disclosure of the vulnerability, multiple CVEs have been published for log4j:

1. CVE-2021-44228 - A vulnerability was identified that logging a specially crafted string could apply LDAP and JNDI to invoke arbitrary lawmaking. This had a severity rating of ten (Critical)
2. CVE-2021-45046 - Information technology was identified that the patch released for fixing CVE-2021-44228 was incomplete against non-default configurations for log4j and immune code execution under not-default configurations
3. CVE-2021-45105 - It was identified that log4j versions from two.0-alpha1 through 2.16.0 did not mitigate uncontrolled recursion from cocky-referential lookups allowing assaulter to have control of Thread Control Matrix causing denial of service
4. (Update) CVE-2021-44832 - A RCE is possible in v2.17.ane as well nether controlled conditions. Vulnerability rated with moderate severity.

‍

Identifying vulnerable log4j JARs on Windows

‍

Apply log4jscanwin, a tool created by Qualys, to scan Windows machines.

The following steps will assist identify the beingness of vulnerable versions of log4j JAR files nowadays on a Windows machine:

one. Log on to the Windows car

2. Use a browser to download the ZIP archive for the latest version of log4jscanwin from https://github.com/Qualys/log4jscanwin/releases/latest

iii. Once downloaded, extract files from the annal, it should contain two directories within the root binder - x86 and x64.

4. To know the architecture of our Windows machine:

1. Navigate to the start carte du jour
2. Search for "This PC"
3. Right click on the "This PC" icon and select the backdrop selection
4. Annotation the compages mentioned under properties

v. Next, navigate to start menu, search for CMD, right click and select the option "Run as ambassador" (The administrator password would be required if this task is being performed by a not-admin user)

6. Inside CMD, navigate to the extracted binder and so to the folder containing the exe file based on the car's architecture that was determined in step 4

seven. To start the scan, run the post-obit command:

Log4jScanner.exe /browse

‍

viii. Once the scan is complete, it would listing whatsoever identified log4j JAR files along with relevant information if the version is vulnerable

nine. Stop at pace 8 with the list of softwares containing vulnerable versions of log4j where  patching is required to exist performed

10. Additionally, to perform a sanity cheque confronting the log4j JAR files that were identified merely non classified vulnerable, check if they are fake negatives by:

1. Calculating their SHA1 sums by running the following command in PowerShell

get-filehash -Algorithm SHA1 '<path\to\JAR\file>'

2. Navigate to this CSV of SHA1 hashes curated from vulnerable log4j JAR files and search if the hash calculated in step '1' exists in the CSV

3. If the hash matches an existing entry in the CSV, the corresponding JAR file that was identified from the tool (only considered not vulnerable) might also be potentially vulnerable

‍

Notes on interpreting the results

‍

Log4jscanwin would identify all log4j JARs, but sometimes these JAR files might not exist available directly as a JAR. For case, the JAR could exist present under some other annal file such as Web Archive (WAR) files. Jenkins is a great example that uses WAR files. When log4jscanwin identifies a log4j JAR inside another archive file, for example  "jenkins.war", the path would look like

path\to\jenkins.war!path\inside\war\to\log4j.jar          

In this instance, the issue would either be conclusive that the JAR is vulnerable, warranting no further activeness other than patching it but if the upshot is inconclusive and you want to verify the SHA1 hash of the JAR yourself, y'all tin can use a tool like 7zip to excerpt files from the WAR file and and then navigate to the path of the log4j JAR file, calculate the hash and compare it with the hashes present in the CSV mentioned in the previous section.

Another important matter to note is that it is the Java Naming and Directory Interface (JNDI) that causes the vulnerabilities and not log4j itself. Thus, if the JNDI grade is missing from log4j, it is safe to employ and not vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4483.

‍

Mitigation

‍

Once you have confirmed the beingness of vulnerable versions of log4j running on your Windows machines, it is necessary  to patch them to mitigate the security event. Depending on the environment, the mitigation steps differ. For instance, if the security upshot is found in a managed deject environment such as AWS, await for the vendor to patch it. For software that might use log4j as a component, check if the vendor for the software has released an update which includes the patch, and if the update with the patch exists, apply the update equally soon equally possible.

‍

It should also be noted that some manufactures mention updating to log4j-2.16.0 as the mitigation. This is no longer truthful equally CVE-2021-45105 is present in all log4j versions from 2.0-alpha1 to two.xvi.0 and thus, users must update to log4j-2.17.0 to mitigate all three zilch-days identified for log4j.

‍

Conclusion

‍

Log4j is an extensively used, Java based logging utility which was recently establish to be vulnerable to a zero-day exploit. Since this software is prevalent in many systems across a diverse range of environments, the attack surface of this vulnerability is extremely wide. This issue is classified with a CVSS score of 10, the highest possible score. From the moment the first nix-day exploit was made public, two more zip-days take been identified.

‍

This is a critical issue and thus needs to be identified in our environments, so any vulnerable versions of log4j tin can be patched, or at least proper monitoring be set until the vendor releases a patch. Log4jscanwin is a tool that can be utilized  to scan our Windows workloads to identify vulnerable log4j JARs and so apply appropriate mitigation strategies to secure ourselves and improve the security posture of our organization.

‍

***

‍

This article is brought to you by Kloudle Academy, a costless e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security direction platform that uses the power of automation and simplifies human requirements in deject security. If you wish to give your feedback on this article, you lot can write to us hither.

Source: https://kloudle.com/academy/using-log4jscanwin-to-identify-log4j-vulnerabilities-on-windows-machines

Posted by: massingillglelavold.blogspot.com

Share this post