I would like to know if there is a way to scan our log4j.properties file for the below mentioned vulnerable classes/appender's using Nolio or without it.

• CVE-2019-17571: SocketServer.class
• CVE-2021-44228: JndiLookup.class
• CVE-2021-4104: JMSAppender.class
• CVE-2022-23305: JDBCAppender.class
• CVE-2022-23307: chainsaw/*.class
• CVE-2022-23302: JMSSink.class

Release : 6.X

Component : CA RELEASE AUTOMATION CORE

The vulnerable appender's can be detected in log4j.properties using below mentioned methods

Command Line

Syntax:

• • Linux: cd INSTALL_DIR; grep -E "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup" PATH_TO_LOG4J.PROPERTIES

  • Windows CMD: cd INSTALL_DIR && findstr /i /r "JDBCAppender JMSSink SocketServer JMSAppender Chainsaw JndiLookup" PATH_TO_LOG4J.PROPERTIES

  • Windows PowerShell: cd INSTALL_DIR; Select-String -Path .\PATH_TO_LOG4J.PROPERTIES -Pattern "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup"

Examples (referencing NAC install directories)

• • Linux: cd NAC_INSTALL_DIR; grep -E "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup" webapps/datamanagement/WEB-INF/log4j.properties

  • Windows CMD: cd NAC_INSTALL_DIR && findstr /i /r "JDBCAppender JMSSink SocketServer JMSAppender Chainsaw JndiLookup" webapps\datamanagement\WEB-INF\log4j.properties

  • Windows PowerShell: cd NAC_INSTALL_DIR; Select-String -Path .\webapps\datamanagement\WEB-INF\log4j.properties -Pattern "JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup"

Via Nolio Process

For a process to check the files on system for vulnerable classes/appender's it requires some additional setup mentioned below: 

• • A RA agent on the system
  • Full path of the file's.
  • Access rights to directories and files for agent service account

The RA process can be created comprise of a single action with below recommended configurations

Action Configuration: 

Name: Find Text in File - search Agent log4j.properties
Type: Find Text in File
File Path: PATH_TO_LOG4J.PROPERTIES
Text To Find: JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup
Text Should Exist [Boolean]: false
Case Sensitive [Boolean]: (Default value)
Regular Expression: true
File Character Set: (Default value)
Timeout: (Default value)

Example (referencing identification of vulnerable classes/appender's on Agent Install directory)

Action configuration on Agent: 

Name: Find Text in File - search Agent log4j.properties
Type: Find Text in File
File Path: conf/log4j.properties
Text To Find: JDBCAppender|JMSSink|SocketServer|JMSAppender|Chainsaw|JndiLookup
Text Should Exist [Boolean]: false
Case Sensitive [Boolean]: (Default value)
Regular Expression: true
File Character Set: (Default value)
Timeout: (Default value)

On agent machines, the commands/actions above can be used to detect vulnerable appenders used in the PATH_TO_AGENT_INSTALL_DIR/conf/remoteProcess.log4j.properties. These vulnerable appenders are not used by default in any of Nolio's log4j.properties/remoteProcess.log4j.properties files. However, it is possible for a customized version to use these vulnerable appenders.