36
Downloads
2
Endorsements
6
Components
Sorry you need to login to submit improvement.

This product pack is intended to address various aspects of CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105, collectively known as the log4j vulnerability.

Scenario

QUICK START

  1. Upload the Log4j Vulnerability product pack to tachyon using the Tachyon Product Pack Importer tool
  2. Deploy the policy to all devices
  3. Run any Log4j: ... instructions from Explorer

INSTRUCTION SETS

Log4j

QUESTION: 1E-Exchange-Log4j-ListEnvironmentVariables

Log4J: List environment variables matching list for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

READABLE PAYLOAD:

Log4J: List environment variables matching list "%List%" for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

PARAMETERS

Name Default Description
List *LOG4J*LOOKUPS*; *JAVA_OPTS* A semi-colon ; delimited list of environment variables to find. (* wildcard accepted)

OUTPUT

Name Type Description
SearchString string(128) This contains each of the search strings that were passed into the List parameter. The List is turned from a ; delimited list into a table so it can be joined and filtered. The values from that list each get their own row and are found in this column
VariableName string(128) The name of the environment variable for UserName which matches the SearchString
VariableValue string(2000) The value that the matching variable is set to for UserName
UserName string(128) The name of the user (including <System> and service accounts) found having previously logged on to the device

NOTES

Queries the Win32_Environment WMI class to get environment variables

This instruction currently only works on Windows

This instruction will first take the delimited List parameter and turn it into a table. Then it will query WMI to get the list of environment variables for all users including System and service accounts. It will then try to find matches for the passed in list of environment variables to find. If any are not found for any of the users previously logged on to the device, it will show as {NO MATCHES}. If there is a match, it will show the matching variable(s) and their values. This lets you see the variables which meet your criteria as well as which ones are missing or set to a different value.

QUESTION: 1E-Exchange-Log4j-ListJarFiles

Log4J: List jar files matching Pattern for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

READABLE PAYLOAD:

Log4J: List jar files matching "%Pattern%" for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

PARAMETERS

Name Default Description
Pattern *log4j*.?ar The pattern of the filename to find (* and ? wildcards accepted)

OUTPUT

Name Type Description
IsKnownVulnerable bool A flag that indicates if the file represented by FileName has the same hash as a known-vulnerable file
FileName string(2000) The name of the files across all fixed disks which match the Pattern passed in
OriginalFile string(128) The name of the original file as it exists in
Apache Logging Services - log4j
(https://archive.apache.org/dist/logging/log4j/)

In the event that a .jar file from the hard drive has been renamed but still contains a vulnerable version, this column will show what the original file from the framework was and from which version it came.

Hash string(128) The SHA256 hash of each matching file that was found. This is used to determine if the file is known vulnerable.

NOTES

This instruction contains the SHA256 hash of every vulnerable version of log4j. It then goes and gets all relevant .jar files and compares their hash to the hash of known vulnerable. It will return a list of all files that match the Pattern parameter or match the file name of known vulnerable files. This lets you see all files that match the filename pattern, but also includes a flag that identifies the files known to be vulnerable.

Currently, this instruction looks for *log4j*.?ar which should match anything with log4j in the name as well as the extensions .jar, .war, .ear in case the file has been renamed to another extension that Java can still open. If you need to be even more inclusive of files that may have been renamed, you can change the Pattern parameter to simply *.?ar to find all jars no matter the name. Of course, this may find a lot more files that may be irrelevant and may take more time to run.

QUESTION: 1E-Exchange-Log4j-SearchJarFiles

Log4J: Search inside JAR files which match a pattern for files matching a list of patterns for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105. This lets you identify if certain vulnerable classes exist inside the JAR files

READABLE PAYLOAD:

Log4J: Search inside jar files matching pattern %Pattern% for files matching a list of patterns %PackagedFilePatterns% using optional find fast algorithm %FindFast% for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

PARAMETERS

Name Default Description
Pattern *log4j*.?ar The pattern of the filename to find (* and ? wildcards accepted. Matches SQLite GLOB wildcard behavior)
FindFast False When set to true it will use the fast search algorithm in FindFileByName to get the list of files to check

Possible values:
True
False

PackagedFilePatterns *jmsappender.*; *jndilookup.* A semi-colon ; delimited list of patterns to match the packaged file names inside the JAR files (* wildcards accepted. Each pattern matches PowerShell's -like behavior)

OUTPUT

Name Type Description
PackagedFileName string(256) The file name (no path) of any files inside the JAR files which matched the passed-in patterns
Result string(128) The result of the search option for the JAR specified. If a file was found, Pattern found is returned. If there was an error opening the JAR, an error message will be here and error details will be in the ResultDetails column (which is not in the schema and thus not visible in Explorer but can be added or used in TIMS for troubleshooting)
ImplementationTitle string(128) The Implementation-Title: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
ImplementationVendor string(128) The Implementation-Vendor: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
ImplementationVersion string(128) The Implementation-Version: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
JarFullName string(2000) The full name of the JAR files that matched the patterns passed in
PackagedFileFullName string(2000) The full name and path of files found inside the JAR. This full name is checked to see if it matches any of the PackagedFilePatterns
PackagedLastWriteTimeUtc string(32) The last time (inUTC) that the file was written to before being added to the JAR
SpecificationTitle string(128) The Specification-Title: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
SpecificationVendor string(128) The Specification-Vendor: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
SpecificationVersion string(128) The Specification-Version: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest

NOTES

Requires PowerShell 3 or higher

This instruction will first get a list of files that match the Pattern parameter. Then it will loop through that list, open them up and search inside for files matching the patterns in the PackagedFilePatterns parameter. If any files are found, the Result column will show Pattern found. If there was an error opening the JAR file (usually because it's not a valid archive) the Result column will show an error for that JAR file. If there were no matches for the JAR, nothing will be shown for that file.

In other words, this instruction will only show files that match the patterns passed in for known vulnerable patterns inside of JARs. Devices with no matches will have zero rows returned.

There was a bug in certain versions of the client when using Fast:true which caused the results for the first fixed drive to be correct, but subsequent drives to sometimes show incorrect results. If results on secondary drives seem to be lower than expected, set FindFast:False.

Check with support to get the latest client which fixes this behavior.

ACTION: 1E-Exchange-Log4j-SetEnvironmentVariables

DESCRIPTION

Log4J: Sets a single environment variable to specified value for all users for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

READABLE PAYLOAD:

Log4J: Set a single environment variable matching VariableName %Name% to Value %Value% for all users for CVE-2021-44228, CVE-2021-45046 or CVE-2021-45105

PARAMETERS

Name Default Description
Name LOG4J_FORMAT_MSG_NO_LOOKUPS The name of the environment variable to set
Value true The environment variable will be set to this value

OUTPUT

Name Type Description
VariableName string(128) The name of the passed in variable we're setting
VariableValue string(2000) The value of the environment variable for the UserName after the Set action has taken place. This can be used to determine if the Set operation worked properly. If not, it was most likely a lack of permissions.
ValueWasSet bool A flag indicating if the VariableValue was properly set by this instruction or not
UserName string(128) The name of the user (including <System> and built-in or service accounts) who is getting this environment variable set

NOTES

Requires PowerShell 3 or higher

Because a user environment variable overrides the system environment variable, it is not enough to simply set the environment variable for <System>. It is also necessary to set the variable to the specified value for all users as well as <System>. This instruction will do that.

ACTION: 1E-Exchange-Log4j-RemoveJarFileContent

Log4J: Search inside jar files matching a pattern for files matching a list of patterns and remove/delete them for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

READABLE PAYLOAD:

Log4J: Search inside jar files matching pattern %Pattern% using optional find fast algorithm %FindFast% for files matching a list of patterns %PackagedFilePatterns% matching Log4j Implementation-Version regex %VersionRegEx% and remove them from the jar %Action%

PARAMETERS

Name Default Description
Pattern *log4j*.?ar The pattern of the filename to find (* and ? wildcards accepted. Matches SQLite GLOB wildcard behavior)
FindFast False When set to true it will use the fast search algorithm in FindFileByName to get the list of files to check

Possible values:
True
False

PackagedFilePatterns *jmsappender.*; *jndilookup.* A semi-colon ; delimited list of patterns to match the packaged file names inside the JAR files (* wildcards accepted. Each pattern matches PowerShell's -like behavior)
Action List files to remove The action to take on the Jar file content. Possible values are:

List files to remove
Remove files from jar

If the value is List files to remove this instruction will search for matches and return a list of the content that would be removed. This is like a -whatif parameter.

If the values is Remove files from jar this instruction will search for matches of content that should be removed from the jar and will remove/delete those matches (leaving everything else in the jars untouched)

VersionRegEx (2\.([02-9](\.[012]|\-(beta9|rc[12]))?|1([013-6][.0-9]+|2\.[01])?)) A regular expression that identifies all of the versions of Log4j that are relevant (based on Implementation-Version of the JAR)

OUTPUT

Name Type Description
PackagedFileName string(256) The file name (no path) of any files inside the JAR files which matched the passed-in patterns
Result string(128) The result of the search option for the JAR specified. If a file was found, Pattern found is returned. If there was an error opening the JAR, an error message will be here and error details will be in the ResultDetails column (which is not in the schema and thus not visible in Explorer but can be added or used in TIMS for troubleshooting)
ImplementationTitle string(128) The Implementation-Title: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
ImplementationVendor string(128) The Implementation-Vendor: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
ImplementationVersion string(128) The Implementation-Version: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
JarFullName string(2000) The full name of the JAR files that matched the patterns passed in
PackagedFileFullName string(2000) The full name and path of files found inside the JAR. This full name is checked to see if it matches any of the PackagedFilePatterns
PackagedLastWriteTimeUtc string(32) The last time (inUTC) that the file was written to before being added to the JAR
SpecificationTitle string(128) The Specification-Title: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
SpecificationVendor string(128) The Specification-Vendor: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest
SpecificationVersion string(128) The Specification-Version: property from the MANIFEST.MF within the JAR. This is a straight copy of the value in the manifest

NOTES

Requires PowerShell 3 or higher

If the value is List files to remove, this instruction will search for matches and return a list of the content that would be removed. This is like a -whatif parameter.

If the values is Remove files from jar, this instruction will search for matches of content that should be removed from the jar and will remove/delete those matches (leaving everything else in the jars untouched)

This instruction will first get a list of files that match the Pattern parameter. Then it will loop through that list, open them up and search inside for files matching the patterns in the PackagedFilePatterns parameter. It will also filter those results based on the VersionRegEx parameter, which looks at the Implementation-Version: value in the MANIFEST.MF file and returns matches based on that regular expression. If there was an error opening the JAR file (usually because it's not a valid archive) the Result column will show an error for that JAR file. If there were no matches for the JAR, nothing will be shown for that file.

In other words, this instruction will only show files that match the patterns passed in for known vulnerable patterns inside of JARs. Devices with no matches will have zero rows returned.

There was a bug in certain versions of the client when using Fast:true which caused the results for the first fixed drive to be correct, but subsequent drives to sometimes show incorrect results. If results on secondary drives seem to be lower than expected, set FindFast:False.

Check with support to get the latest client which fixes this behavior.

Components

Known Issues / Additional Notes

Value Score

Usage Frequency
Daily
Time Saved
100000150 Minutes
Criticality
High

Info

Status
Not Verified
Author
1E Product Pack Team
Category
Security, Vulnerability, Vulnerability
Added
1 month ago
Last Updated
3 weeks ago
Downloads
36
Compatibility
Platform - v8.0, v5.2

This website is designed for desktop. If using a mobile browser please change to desktop view.