Scanning Vulnerable appender/classes in log4j.properties
search cancel

Scanning Vulnerable appender/classes in log4j.properties

book

Article ID: 238016

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

I would like to know if there is a way to scan our log4j.properties file for the below mentioned vulnerable classes/appender's using Nolio or without it.

  • CVE-2019-17571: SocketServer.class
  • CVE-2021-44228: JndiLookup.class
  • CVE-2021-4104: JMSAppender.class
  • CVE-2022-23305: JDBCAppender.class
  • CVE-2022-23307: chainsaw/*.class
  • CVE-2022-23302: JMSSink.class

Environment

Release : 6.X

Component : CA RELEASE AUTOMATION CORE

Resolution

The vulnerable appender's can be detected in log4j.properties using below mentioned methods

Command Line

Syntax:

    • Linux: cd INSTALL_DIR; grep -E "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup" PATH_TO_LOG4J.PROPERTIES
    • Windows CMD: cd INSTALL_DIR && findstr /i /r "JDBCAppender JMSSink SocketServer JMSAppender Chainsaw JndiLookup" PATH_TO_LOG4J.PROPERTIES
    • Windows PowerShell: cd INSTALL_DIR; Select-String -Path .\PATH_TO_LOG4J.PROPERTIES -Pattern "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup"

Examples (referencing NAC install directories)

    • Linux: cd NAC_INSTALL_DIR; grep -E "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup" webapps/datamanagement/WEB-INF/log4j.properties
    • Windows CMD: cd NAC_INSTALL_DIR && findstr /i /r "JDBCAppender JMSSink SocketServer JMSAppender Chainsaw JndiLookup" webapps\datamanagement\WEB-INF\log4j.properties
    • Windows PowerShell: cd NAC_INSTALL_DIR; Select-String -Path .\webapps\datamanagement\WEB-INF\log4j.properties -Pattern "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup"

Via Nolio Process

For a process to check the files on system for vulnerable classes/appender's it requires some additional setup mentioned below: 

    • A RA agent on the system
    • Full path of the file's.
    • Access rights to directories and files for agent service account

The RA process can be created comprise of a single action with below recommended configurations

Action Configuration: 

NameFind Text in File - search Agent log4j.properties
TypeFind Text in File
File Path: PATH_TO_LOG4J.PROPERTIES
Text To FindJDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup
Text Should Exist [Boolean]false
Case Sensitive [Boolean]: (Default value)
Regular Expression: true
File Character Set(Default value)
Timeout(Default value)

Example (referencing identification of vulnerable classes/appender's on Agent Install directory)

Action configuration on Agent: 

NameFind Text in File - search Agent log4j.properties
TypeFind Text in File
File Pathconf/log4j.properties
Text To FindJDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup
Text Should Exist [Boolean]: false
Case Sensitive [Boolean]: (Default value)
Regular Expressiontrue
File Character Set(Default value)
Timeout(Default value)

Additional Information

On agent machines, the commands/actions above can be used to detect vulnerable appenders used in the PATH_TO_AGENT_INSTALL_DIR/conf/remoteProcess.log4j.properties. These vulnerable appenders are not used by default in any of Nolio's log4j.properties/remoteProcess.log4j.properties files. However, it is possible for a customized version to use these vulnerable appenders.