Log4shell Deep Scan
Adapted version of Log4Shell Deep Scanner created by Arctic Wolf.
Worklet Details
Introduction to the Bash-Based Log4shell Deep Scan Worklet
The Log4shell Deep Scan Worklet is a Linux-based solution designed to identify and mitigate the risks associated with the Log4shell vulnerability (CVE-2021-44228 and CVE-2021-45046).
This Worklet is adapted from Arctic Wolf's open-source scanning tool. The Log4shell Deep Scan Worklet searches for Java applications containing the vulnerable version of Log4j, JndiLookup.class, within JAR, WAR, and EAR files present in a system.
Why would you use the Log4shell Deep Scan Worklet?
Threat actors have been exploiting the Log4shell vulnerability to gain unauthorized access to systems, exfiltrate sensitive information, and perform other malicious activities. It is crucial for security teams to identify Java applications that contain the vulnerable version of Log4j as part of their remediation efforts.
Successful deployment of this Worklet helps organizations ensure that they are not susceptible to exploitation attempts related to this severe vulnerability.
Components of the Log4shell Deep Scan Worklet
The Worklet consists of two main components: an evaluation script and a remediation script. The evaluation script verifies whether there are any vulnerable versions present in your environment by scanning JAR, WAR, and EAR files for the presence of JndiLookup.class files. If found, it checks whether these files have been updated with patches addressing the vulnerability.
How does the Log4shell Deep Scan Worklet work?
The Worklet starts by searching all JAR files in a specified search root location or defaulting to "/". It then recursively scans each file for nested JAR files or class files containing JndiLookup.class. If an unpatched version is detected, it flags the application as vulnerable. In cases where the script is unable to read certain applications, it will report them as unknown.
What is the expected outcome when you use the Log4shell Deep Scan Worklet?
Upon execution, the Worklet generates a JSON output file that contains details about affected applications and their respective vulnerabilities. It also provides a log file with additional information related to the scan process. The Worklet will present one of three possible results:
1. PASS: No Java applications containing Log4j JndiLookup were found.
2. FAIL: Applications containing vulnerable versions of Log4j JndiLookup were detected.
3. UNKNOWN: Some applications were unreadable by the detection script, requiring further investigation.
By using this Worklet, security teams can quickly identify vulnerable Java-based applications in their environment and take appropriate actions to patch or mitigate the risks associated with the Log4shell vulnerability. This will help organizations ensure that they are on the latest version of Log4j and remain protected against potential exploitation attempts by threat actors.
TRY WORKLETS TODAY FOR FREE
Start now and begin controlling your endpoints within 15 minutes.
No credit card required. By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in
Consider Worklets your easy button
What's a Worklet?
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.
AUTOMOX + WORKLETS™
Supercharge your endpoint management
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy